This vulnerability in the Moodle Jmol plugin (version 6.1 and prior) involves improper limitation of a pathname to a restricted directory (CWE-22). Specifically, the jsmol.php script accepts a query parameter that is passed directly to PHP's file_get_contents() function without sanitization or validation. This flaw enables attackers to perform path traversal attacks to read arbitrary files on the server filesystem. The vulnerability can be exploited remotely without authentication, increasing its risk. The CVSS 4.0 base score is 8.7, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality. Exploitation evidence was observed by Shadowserver Foundation on 2025-02-02 UTC. There is no indication of an official patch or vendor advisory at this time.

Successful exploitation allows unauthenticated attackers to read arbitrary files on the affected server. This can lead to disclosure of sensitive information such as configuration files and database credentials, potentially compromising the confidentiality of the Moodle LMS environment. The vulnerability does not require user interaction or privileges, making it highly accessible to attackers. No evidence of active widespread exploitation is reported beyond the Shadowserver observation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider restricting access to the vulnerable jsmol.php script, for example by network-level controls or web server configuration, to prevent unauthorized requests. Monitoring for unusual access patterns to this script may also help detect exploitation attempts. Avoid exposing the Moodle Jmol plugin to untrusted networks if possible.