CVE-2025-34032 MEDIUM

CVE-2025-34032: Moodle LMS Jmol Plugin Cross-site Scripting (XSS)

Vendor Moodle
Product Jmol Plugin
Weakness CWE-79 · XSS
Published June 24, 2025
Last update May 14, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.

Key dates

02Disclosure timeline

June 24, 2025 CVE published
May 14, 2026 Record updated

Related vulnerabilities

04Related CVE