AI Sec Watch

streamlit-geospatial, an application for mapping geographic data, has a vulnerability where user input is passed directly to a function that makes web requests to any server the attacker specifies, known as SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests on their behalf). This allows attackers to make the application send requests to arbitrary destinations.

streamlit-geospatial, an application for working with geographic data in Streamlit (a Python framework for building data apps), has a vulnerability where user input is directly passed to the eval() function (which executes code from text), allowing attackers to run arbitrary code on the server. The vulnerability was fixed in commit c4f81d9616d40c60584e36abb15300853a66e489.

streamlit-geospatial is a mapping application built with Streamlit (a framework for creating data apps). Before a certain update, the app took user input into a variable called `vis_params` and then ran it through the `eval()` function (which executes code), allowing attackers to run arbitrary commands on the server.

CVE-2024-41115 is a vulnerability in streamlit-geospatial (a tool for working with maps and geographic data in Streamlit, a Python framework for building data apps) where user input is passed directly into the eval() function (a dangerous function that executes code), allowing attackers to run arbitrary code on the server. The vulnerability existed in the `palette` variable handling on line 488-493 of the timelapse page file.

streamlit-geospatial is a web application for mapping and geographic data analysis built with Streamlit (a Python framework for data apps). The application has a critical vulnerability where user input is passed directly into the `eval()` function (a command that executes text as code), allowing attackers to run arbitrary code on the server.

streamlit-geospatial, a tool for building map-based applications, has a vulnerability where user input is passed directly into the eval() function (a function that executes code text as if it were written in the program), allowing attackers to run arbitrary code on the server. The vulnerability existed in the `vis_params` variable handling in the Timelapse.py file before a specific code commit fixed it.

streamlit-geospatial is a Streamlit app (a Python framework for building data apps) for geospatial applications that had a vulnerability where user input for a palette variable was passed directly into the eval() function (a dangerous function that executes code), allowing attackers to run arbitrary code on the server. The vulnerability was fixed in commit c4f81d9616d40c60584e36abb15300853a66e489.

Open edX is a learning management platform (software that manages courses and students) where instructors upload CSV files (spreadsheet files with student data) to create student groups called cohorts. In certain versions, these uploaded files could become publicly accessible on AWS S3 buckets (cloud storage), exposing sensitive learner information to anyone on the internet.

Google Colab AI (now called Gemini in Colab) had a vulnerability where data could leak through image rendering, discovered in November 2023. The system prompt (hidden instructions that control how an AI behaves) specifically warned the AI not to render images, suggesting this was a known risk that Google tried to prevent.