Headline
CVE-2023-34962: Notebook: Validate that only the author can edit the note · chamilo/chamilo-lms@f9a17bf
Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a student to arbitrarily access and modify another student’s personal notes.
Expand Up
@@ -35,7 +35,8 @@ function setFocus(){
// Tracking
Event::event_access_tool(TOOL_NOTEBOOK);
$action = isset($_GET[‘action’]) ? $_GET[‘action’] : '’;
$currentUserId = api_get_user_id();
$action = $_GET[‘action’] ?? '’;
$logInfo = [
‘tool’ => TOOL_NOTEBOOK,
Expand Down Expand Up
@@ -137,6 +138,15 @@ function setFocus(){
exit;
}
// Setting the defaults
$defaults = NotebookManager::get_note_information((int) $_GET[‘notebook_id’]);
if ($currentUserId !== (int) $defaults[‘user_id’]) {
echo Display::return_message(get_lang(‘NotAllowed’), ‘error’);
Display::display_footer();
exit();
}
// Initialize the object
$form = new FormValidator(
'note’,
Expand All
@@ -159,8 +169,6 @@ function setFocus(){
);
$form->addButtonUpdate(get_lang(‘ModifyNote’), ‘SubmitNote’);
// Setting the defaults
$defaults = NotebookManager::get_note_information(Security::remove_XSS($_GET[‘notebook_id’]));
$form->setDefaults($defaults);
// Setting the rules
Expand Down