AI Sec Watch

Ollama before version 0.1.47 has a vulnerability in its extractFromZipFile function where it can extract files from a ZIP archive outside of the intended parent directory, a weakness called path traversal (CWE-22, where an attacker manipulates file paths to access directories they shouldn't). This could allow an attacker to write files to unintended locations on a system when processing a specially crafted ZIP file.

Microsoft 365 Copilot has a vulnerability that allows attackers to steal personal information like emails and MFA codes through a multi-step attack. The exploit uses prompt injection (tricking an AI by hiding malicious instructions in emails or documents), automatic tool invocation (making Copilot search for additional sensitive data without user permission), and ASCII smuggling (hiding data in invisible characters within clickable links) to extract and exfiltrate personal information.

CVE-2024-7110 is a vulnerability in GitLab EE (a code management platform) versions 17.0 through 17.3 that allows an attacker to execute arbitrary commands (run code of their choice) in a victim's pipeline through prompt injection (tricking the system by hiding malicious instructions in user input). This vulnerability affects multiple recent versions of the software.

The European AI Act assigns the European Commission's AI Office various responsibilities for regulating AI systems, including promoting AI literacy, overseeing biometric identification systems used by law enforcement, managing a registry of certified testing bodies (notified bodies that verify AI safety), and investigating whether these bodies remain competent. Most of these oversight duties take effect starting February or August 2025, with no specific deadlines given for completing individual tasks.

The EU AI Act requires member states to receive and register notifications about high-risk AI systems (AI systems that pose significant risks to safety or rights) from various parties, including law enforcement agencies using facial recognition systems, AI providers, importers, and organizations deploying these systems. These responsibilities take effect in two phases: August 2, 2025, and August 2, 2026, with member states also needing to assess conformity assessment bodies (independent organizations that verify AI systems meet safety standards) and share documentation with the European Commission.

A researcher discovered a security flaw in Google AI Studio where prompt injection (tricking an AI by hiding instructions in its input) allowed data exfiltration (stealing data) through HTML image tags rendered by the system. The vulnerability worked because Google AI Studio lacked a Content Security Policy (a security rule that restricts where a webpage can load resources from), making it possible to send data to unauthorized servers.

Khoj, an application that creates personal AI agents, has a vulnerability in its Automation feature where users can insert arbitrary HTML and JavaScript code through the q parameter of the /api/automation endpoint due to improper input sanitization (a security flaw called stored XSS, where malicious code gets saved and runs when the page loads). This allows attackers to inject harmful code that affects other users viewing the page.

The Chatbot with ChatGPT WordPress plugin before version 2.4.5 has a SQL injection vulnerability (a type of attack where malicious code is inserted into database queries), which can be exploited by anyone without needing to log in when they submit messages to the chatbot. The plugin fails to properly sanitize and escape a parameter, meaning it doesn't clean or protect user input before using it in a SQL statement.

The Chatbot with ChatGPT WordPress plugin before version 2.4.5 has a vulnerability where it does not properly clean and escape user inputs, allowing attackers to perform Stored Cross-Site Scripting attacks (XSS, a type of attack where malicious code gets saved and runs when admins view it) without needing to be logged in.