|Topic:||Cross-site request forgery and missing access control in course completion|
|Versions affected:||<2.0.2 (1.9.x not affected)|
|Reported by:||Internal code review|
|Solution:||Upgrade to latest version|
|Workaround:||Disable course completion|
We have discovered several problems in the course completion code during code review which could allow an attacker to mark activities and courses as completed.