| Topic: | Cross-site request forgery and missing access control in course completion |
| Severity: | Major |
| Versions affected: | <2.0.2 (1.9.x not affected) |
| Reported by: | Internal code review |
| Issue no.: | MDL-26198 |
| Solution: | Upgrade to latest version |
| Workaround: | Disable course completion |
Description:
We have discovered several problems in the course completion code during code review which could allow an attacker to mark activities and courses as completed.