Feed aggregator

UK CAFE Graduate Student to Receive Prestigious Award for Thesis

uknow gradschool - Fri, 02/23/2018 - 9:00am
A UK CAFE graduate student's thesis is attracting lots of positive attention.

Applications for Commencement Student Speaker Being Accepted Through March 28

uknow gradschool - Fri, 02/23/2018 - 9:00am
Students who wish to apply must submit a resume and a copy of their three- to five-minute proposed speech no longer than three-typed, double-spaced pages.

VIDEO: Why This UK Professor's Students Call Her a 'Rock Star'

uknow gradschool - Fri, 02/23/2018 - 9:00am
What makes a teacher truly great? During the next several weeks, UKNow will spotlight each of this year's Great Teachers through a video featuring the award-winning professors with the students who nominated them. This week we feature Milena Minkova from the College of Arts and Sciences.

JSON API - Moderately critical - Multiple Vulnerabilities - SA-CONTRIB-2018-015

Project Security Advisories - Wed, 02/21/2018 - 3:12pm
Project: JSON APIDate: 2018-February-21Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Multiple Vulnerabilities Description: 

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

  • The module doesn't sufficiently associate cacheability metadata in certain situations thereby causing an access bypass vulnerability.

    This vulnerability is mitigated by the fact that an attacker cannot trigger an exploitable situation themselves.

  • The module doesn't sufficiently check access in certain situations.

    This vulnerability is mitigated by the fact that an attacker must have permission to create entities of certain content entity types.

Update: This is fixed in 8.x-1.10 not 8.x-1.9Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

CKEditor Upload Image - Critical - Access bypass - SA-CONTRIB-2018-014

Project Security Advisories - Wed, 02/21/2018 - 2:04pm
Project: CKEditor Upload ImageDate: 2018-February-21Security risk: Critical 15∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to drag and drop or paste images into CKEditor.
The module does not sufficiently verify users permissions, which leads to anonymous users being able to upload files to the server.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

Core Security Advisories - Wed, 02/21/2018 - 12:10pm
Project: Drupal coreVersion: 8.4.x-dev7.x-devDate: 2018-February-21Security risk: Critical 16∕25 AC:Basic/A:User/CI:Some/II:Some/E:Exploit/TD:DefaultVulnerability: Multiple Vulnerabilities Description: 

This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.

Comment reply form allows access to restricted content - Critical - Drupal 8

Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8

Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Drupal provides for HTML escaping are not affected.

Private file access bypass - Moderately Critical - Drupal 7

When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.

For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 as a side effect of upgrading Drupal core to use a newer version of jQuery. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8

When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.

This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().

Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes.

Settings Tray access bypass - Moderately Critical - Drupal 8

The Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.

If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses.

This vulnerability can be mitigated by disabling the Settings Tray module.

External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7

Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Solution: 

Install the latest version:

Reported By: 
  • Comment reply form allows access to restricted content - Critical - Drupal 8
  • JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8)
  • Private file access bypass - Moderately Critical - Drupal 7
  • jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7
  • Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8
  • Settings Tray access bypass - Moderately Critical - Drupal 8
  • External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7
Fixed By: 

VIDEO: Why a UK Dentistry Professor Shows 'Tough Love' to His Students

uknow gradschool - Fri, 02/16/2018 - 9:00am
What makes a teacher truly great? During the next several weeks, UKNow will spotlight each of this year's Great Teachers through a video featuring the award-winning professors with the students who nominated them. This week we feature Dr. Rodrigo Fuentealba from the College of Dentistry.

VIDEO: Why a UK Dentistry Professor Shows 'Tough Love' to His Students

uknow gradschool - Fri, 02/16/2018 - 9:00am
What makes a teacher truly great? During the next several weeks, UKNow will spotlight each of this year's Great Teachers through a video featuring the award-winning professors with the students who nominated them. This week we feature Dr. Rodrigo Fuentealba from the College of Dentistry.

Entity API - Moderately critical - Information Disclosure - SA-CONTRIB-2018-013

Project Security Advisories - Wed, 02/14/2018 - 3:34pm
Project: Entity APIDate: 2018-February-14Security risk: Moderately critical 10∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureDescription: 

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties.

The module prints debugging information to the HTML output in certain error conditions thereby causing an information disclosure vulnerability.

This vulnerability is mitigated by the fact that an attacker needs to be able to trigger the error condition in a way that protected data is exposed.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Entity Backup - Critical - Module Unsupported - SA-CONTRIB-2018-012

Project Security Advisories - Wed, 02/14/2018 - 3:27pm
Project: Entity BackupDate: 2018-February-14Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Module UnsupportedDescription: 

The main purpose of the Entity Backup module is to keep a backup of deleted Drupal core entities and perform recovery of them.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Solution: 

Uninstall the module

Reported By: 

Jean-Francois Hovinne

Fixed By: 

N/A

Coordinated By: 

N/A

Dynamic Banner - Critical - Module Unsupported - SA-CONTRIB-2018-011

Project Security Advisories - Wed, 02/14/2018 - 2:01pm
Project: Dynamic BannerDate: 2018-February-14Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Module UnsupportedDescription: 

Dynamic Banner is a module that lightens the load on web developers from creating many blocks for pages with different banners.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Solution: 

Uninstall the module

Reported By: Fixed By: 

N/A

Coordinated By: 

N/A

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2018-010

Project Security Advisories - Wed, 02/14/2018 - 1:28pm
Project: Custom PermissionsVersion: 7.x-2.x-devDate: 2018-February-14Security risk: Moderately critical 14∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables the user to set custom permissions per path.

The module doesn't perform sufficient checks on paths with dynamic arguments (like "node/1" or "user/2"), thereby allowing the site administrator to save custom permissions for paths that won't be protected. This could lead to an access bypass vulnerability if the site is relying on the Custom Permissions module to protect those paths.

This vulnerability is mitigated by the fact that it only occurs on sites which attempted to use the Custom Permissions module to protect dynamic paths.

Solution: 

Install the latest version:

After installing the latest version, visit Administration → People → Custom Permissions (admin/people/custom_permissions) and save the form. If it saves with no errors, your site is not vulnerable. However, if an error message is displayed informing you that the module is attempting to protect paths with dynamic arguments that it is unable to protect, your site requires a manual fix; you should reconfigure the site to use a different method to protect these paths (for example, use "node/*" to protect all nodes with the same permission, rather than "node/1" to try to protect only a specific node; or, alternatively, use a node access module to protect the node-related paths with fine-grained access control).

Reported By: Fixed By: Coordinated By: 

VChess - Critical - Module Unsupported - SA-CONTRIB-2018-009

Project Security Advisories - Wed, 02/14/2018 - 10:47am
Project: VChessDate: 2018-February-14Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Module UnsupportedDescription: 

The Drupal VChess module allows users to play a chess game.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Solution: 

Uninstall the module.

Reported By: Fixed By: 

N/A

Coordinated By: 

N/A

Cassuto Reimagines Graduate Education in America

uknow gradschool - Fri, 02/09/2018 - 9:00am
Author Leonard Cassuto visits UK to discuss graduate education in America.

Cassuto Reimagines Graduate Education in America

uknow gradschool - Fri, 02/09/2018 - 9:00am
Author Leonard Cassuto visits UK to discuss graduate education in America.

Entity Reference Tab / Accordion Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-008

Project Security Advisories - Wed, 02/07/2018 - 1:45pm
Project: Entity Reference Tab / Accordion FormatterDate: 2018-February-07Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to show referenced entities in tabs.

The module doesn't sufficiently sanitize the body fields of the referenced entities when it prints them to the tabs.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission create/edit content of the content type that is referenced.

Solution: 

Install the latest version:

  • If you use the Entity Reference Tab / Accordion Formatter module for Drupal 8.x, upgrade to 8.x-1.3
Reported By: Fixed By: Coordinated By: 

FileField Sources - Moderately critical - Information Disclosure - SA-CONTRIB-2018-007

Project Security Advisories - Wed, 02/07/2018 - 12:50pm
Project: FileField SourcesDate: 2018-February-07Security risk: Moderately critical 12∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureDescription: 

This module enables you to upload files to fields via several sources.

The module doesn't sufficiently handle access control under the scenario of the autocomplete path of reference sources.

Solution: 

Install the latest version:

  • If you use the filefield_sources module provided reference source for Drupal 7.x, upgrade to 7.x-1.11.
Reported By: Fixed By: Coordinated By: 

Sister Circle Forum Celebrates and Empowers Women

uknow gradschool - Mon, 02/05/2018 - 9:00am
The Center for Graduate and Professional Diversity Initiatives will host a half-day conference for women Friday, Feb. 9.

Sister Circle Forum Celebrates and Empowers Women

uknow gradschool - Mon, 02/05/2018 - 9:00am
The Center for Graduate and Professional Diversity Initiatives will host a half-day conference for women Friday, Feb. 9.

Vietnam War Remembered, Recounted by History Department

uknow gradschool - Fri, 02/02/2018 - 9:00am
The UK Department of History remembers the 50th anniversary of the heart-wrenching Vietnam War with a new course, HIS-351: The Vietnam War plus a public lecture series beginning Feb. 7.

Pages