VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 25, 2013· Updated Apr 29, 2026

CVE-2013-1834

CVE-2013-1834

Description

Moodle's notes edit function allowed authenticated users to reassign notes by manipulating userid or courseid fields.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Moodle's notes edit function allowed authenticated users to reassign notes by manipulating userid or courseid fields.

Vulnerability

In Moodle, the notes/edit.php script fails to properly validate that the userid and courseid parameters belong to the note being edited. This allows an authenticated user to modify these fields when updating a note, effectively reassigning the note to a different user or course. The vulnerability affects Moodle versions 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 [2].

Exploitation

An attacker must have a valid user account on the Moodle site with the ability to edit notes. The attacker can then craft a POST request to notes/edit.php while modifying the userid or courseid parameters in the submitted form data. No special privileges beyond the ability to edit notes are required. By changing these values, the note is reassigned to a different user or course chosen by the attacker.

Impact

Successful exploitation allows an authenticated user to reassign notes to arbitrary users or courses. This could lead to unauthorized access to notes intended for other users, manipulation of data, or confusion in note-based workflows. The note's content remains unchanged, but its association is altered, potentially violating privacy or data integrity.

Mitigation

The vulnerability is fixed in Moodle versions 2.2.8, 2.3.5, and 2.4.2 [2]. The fix, as shown in commit [4], unsets the courseid and userid fields when updating an existing note, preventing any modification of these attributes during the edit process. Users should upgrade to these or later versions. For earlier branches (1.9.x, 2.x), no official fix was released; users should consider upgrading to a supported version.

References
  1. NVD - CVE-2013-1834
  2. MDL-37411 Notes: unset courseid and userid when updating the note to … · moodle/moodle@bc144eb

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
moodle/moodlePackagist
>= 1.9.0, < 2.2.82.2.8
moodle/moodlePackagist
>= 2.3.0, < 2.3.52.3.5
moodle/moodlePackagist
>= 2.4.0, < 2.4.22.4.2

Affected products

56
  • Moodle/Moodle55 versions
    cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*+ 54 more
    • cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.10:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.11:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.12:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.13:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.14:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.15:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.16:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.17:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.18:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.19:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.9:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.10:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.9:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.1:*:*:*:*:*:*:*
  • ghsa-coords
    pkg:composer/moodle/moodle
    Range: >= 1.9.0, < 2.2.8

Patches

7
a28da5d9b822

MDL-37411 Note Module: additional patch to fixed undefined property for stable branches

https://github.com/moodle/moodleRossiani WijayaMar 6, 2013via ghsa
commit
1 file changed · +2 1
  • notes/lib.php+2 1 modified
    @@ -100,10 +100,11 @@ function note_save(&$note) {
         // insert new note
         $note->created = $note->lastmodified;
         $id = $DB->insert_record('post', $note);
-        $note = $DB->get_record('post', array('id'=>$id));
+        $note = note_load($id);
     } else {
         // update old note
         $DB->update_record('post', $note);
+        $note = note_load($note->id);
     }
     unset($note->module);
     return true;
646059869e36

MDL-37411 Note Module: additional patch to fixed undefined property for stable branches

https://github.com/moodle/moodleRossiani WijayaMar 6, 2013via ghsa
commit
1 file changed · +2 1
  • notes/lib.php+2 1 modified
    @@ -100,10 +100,11 @@ function note_save(&$note) {
         // insert new note
         $note->created = $note->lastmodified;
         $id = $DB->insert_record('post', $note);
-        $note = $DB->get_record('post', array('id'=>$id));
+        $note = note_load($id);
     } else {
         // update old note
         $DB->update_record('post', $note);
+        $note = note_load($note->id);
     }
     unset($note->module);
     return true;
ebfdc35f2a33

MDL-37411 Note Module: additional patch to fixed undefined property for stable branches

https://github.com/moodle/moodleRossiani WijayaMar 6, 2013via ghsa
commit
1 file changed · +2 1
  • notes/lib.php+2 1 modified
    @@ -100,10 +100,11 @@ function note_save(&$note) {
         // insert new note
         $note->created = $note->lastmodified;
         $id = $DB->insert_record('post', $note);
-        $note = $DB->get_record('post', array('id'=>$id));
+        $note = note_load($id);
     } else {
         // update old note
         $DB->update_record('post', $note);
+        $note = note_load($note->id);
     }
     unset($note->module);
     return true;
1b628c489def

MDL-37411 Notes: unset courseid and userid when updating the note to prevent accidental changes. Thank you Sam Hemelryk for suggesting an alternative solution.

https://github.com/moodle/moodleRossiani WijayaMar 5, 2013via ghsa
commit
1 file changed · +10 2
  • notes/edit.php+10 2 modified
    @@ -69,9 +69,17 @@
 }
 
 /// if data was submitted and validated, then save it to database
-if ($note = $noteform->get_data()){
+if ($note = $noteform->get_data()) {
+    $notecourseid = isset($note->courseid) ? $note->courseid : SITEID;
+    $noteuserid = isset($note->userid) ? $note->userid : 0;
+    if ($noteid) {
+        // A noteid has been used, we don't allow editing of course or user so
+        // lets unset them to be sure we never change that by accident.
+        unset($note->courseid);
+        unset($note->userid);
+    }
     if (note_save($note)) {
-        add_to_log($note->courseid, 'notes', 'update', 'index.php?course='.$note->courseid.'&amp;user='.$note->userid . '#note-' . $note->id, 'update note');
+        add_to_log($notecourseid, 'notes', 'update', 'index.php?course='.$notecourseid.'&amp;user='.$noteuserid . '#note-' . $note->id, 'update note');
     }
     // redirect to notes list that contains this note
     redirect($CFG->wwwroot . '/notes/index.php?course=' . $note->courseid . '&amp;user=' . $note->userid);
e13f28602605

MDL-37411 Notes: unset courseid and userid when updating the note to prevent accidental changes. Thank you Sam Hemelryk for suggesting an alternative solution.

https://github.com/moodle/moodleRossiani WijayaMar 5, 2013via ghsa
commit
1 file changed · +10 2
  • notes/edit.php+10 2 modified
    @@ -69,9 +69,17 @@
 }
 
 /// if data was submitted and validated, then save it to database
-if ($note = $noteform->get_data()){
+if ($note = $noteform->get_data()) {
+    $notecourseid = isset($note->courseid) ? $note->courseid : SITEID;
+    $noteuserid = isset($note->userid) ? $note->userid : 0;
+    if ($noteid) {
+        // A noteid has been used, we don't allow editing of course or user so
+        // lets unset them to be sure we never change that by accident.
+        unset($note->courseid);
+        unset($note->userid);
+    }
     if (note_save($note)) {
-        add_to_log($note->courseid, 'notes', 'update', 'index.php?course='.$note->courseid.'&amp;user='.$note->userid . '#note-' . $note->id, 'update note');
+        add_to_log($notecourseid, 'notes', 'update', 'index.php?course='.$notecourseid.'&amp;user='.$noteuserid . '#note-' . $note->id, 'update note');
     }
     // redirect to notes list that contains this note
     redirect($CFG->wwwroot . '/notes/index.php?course=' . $note->courseid . '&amp;user=' . $note->userid);
6a9235c998da

MDL-37411 Notes: unset courseid and userid when updating the note to prevent accidental changes. Thank you Sam Hemelryk for suggesting an alternative solution.

https://github.com/moodle/moodleRossiani WijayaMar 5, 2013via ghsa
commit
1 file changed · +6 0
  • notes/edit.php+6 0 modified
    @@ -70,6 +70,12 @@
 
 /// if data was submitted and validated, then save it to database
 if ($note = $noteform->get_data()){
+    if ($noteid) {
+        // A noteid has been used, we don't allow editing of course or user so
+        // lets unset them to be sure we never change that by accident.
+        unset($note->courseid);
+        unset($note->userid);
+    }
     note_save($note);
     // redirect to notes list that contains this note
     redirect($CFG->wwwroot . '/notes/index.php?course=' . $note->courseid . '&amp;user=' . $note->userid);
bc144ebbe0a7

MDL-37411 Notes: unset courseid and userid when updating the note to prevent accidental changes. Thank you Sam Hemelryk for suggesting an alternative solution.

https://github.com/moodle/moodleRossiani WijayaMar 5, 2013via ghsa
commit
1 file changed · +10 2
  • notes/edit.php+10 2 modified
    @@ -69,9 +69,17 @@
 }
 
 /// if data was submitted and validated, then save it to database
-if ($note = $noteform->get_data()){
+if ($note = $noteform->get_data()) {
+    $notecourseid = isset($note->courseid) ? $note->courseid : SITEID;
+    $noteuserid = isset($note->userid) ? $note->userid : 0;
+    if ($noteid) {
+        // A noteid has been used, we don't allow editing of course or user so
+        // lets unset them to be sure we never change that by accident.
+        unset($note->courseid);
+        unset($note->userid);
+    }
     if (note_save($note)) {
-        add_to_log($note->courseid, 'notes', 'update', 'index.php?course='.$note->courseid.'&amp;user='.$note->userid . '#note-' . $note->id, 'update note');
+        add_to_log($notecourseid, 'notes', 'update', 'index.php?course='.$notecourseid.'&amp;user='.$noteuserid . '#note-' . $note->id, 'update note');
     }
     // redirect to notes list that contains this note
     redirect($CFG->wwwroot . '/notes/index.php?course=' . $note->courseid . '&amp;user=' . $note->userid);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.