The Jmol/JSmol plugin is used to display chemical structures in Moodle using Java and JavaScript.The plugin uses a PHP server-side proxy to bypass client-side security constraints while loading third-party resources.This PHP proxy script calls the function file_get_contents() on unvalidated user input.
In the default PHP setup, this makes Moodle instances with this plugin vulnerable to directory traversal and server-side request forgery. If PHP’s “expect” wrapper is enabled, this may also result in remote code execution vulnerability.
In order to patch this vulnerability, we recommend you to update the Jmol plugin to the latest version.