Topic: | Cross-site request forgery and missing access control in course completion |
Severity: | Major |
Versions affected: | <2.0.2 (1.9.x not affected) |
Reported by: | Internal code review |
Issue no.: | MDL-26198 |
Solution: | Upgrade to latest version |
Workaround: | Disable course completion |
Description:
We have discovered several problems in the course completion code during code review which could allow an attacker to mark activities and courses as completed.