AI Sec Watch

The AI Scribe WordPress plugin (version 2.3 and earlier) has a SQL injection vulnerability (a flaw where attackers can insert malicious database commands) in its article builder feature that allows authenticated users with Contributor-level access to extract sensitive information from the website's database. The vulnerability exists because the plugin doesn't properly clean up user input before using it in database queries.

The AI Scribe WordPress plugin (versions up to 2.3) has a CSRF vulnerability (cross-site request forgery, where an attacker tricks a logged-in admin into unknowingly making changes to the site). Because the plugin fails to properly validate nonces (security tokens that prevent forged requests), an attacker can trick a site administrator into clicking a malicious link that changes the plugin's settings without the admin's knowledge.

Keras version 3.7.0 has a vulnerability where attackers can write arbitrary files (files placed anywhere on your system) to a user's machine by tricking the get_file function (a tool that downloads files) into downloading a malicious tar file (a compressed file format). This happens because the function doesn't properly verify that downloaded files are legitimate before using them.

A WordPress plugin called 'The Post Saint' (used to generate AI text and images) has a security flaw in versions up to 1.3.1 where it fails to check user permissions and validate file types when uploading files. This allows attackers with basic user accounts to upload malicious files that could let them execute arbitrary code (RCE, running unauthorized commands) on the website.

A security researcher demonstrated at Black Hat Europe how prompt injection (tricking an AI by hiding instructions in its input) can be used to create a Command and Control system (C2, a central server that remotely directs compromised systems) that remotely controls multiple ChatGPT instances. An attacker could compromise ChatGPT instances and force them to follow updated instructions from this central C2 system, potentially impacting all aspects of the CIA security triad (confidentiality, integrity, and availability of data).

LangChain4j-AIDeepin, a RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions) project, uses MD5 (a weak cryptographic hashing function) to hash files in versions before 3.5.0, which can cause file upload conflicts when different files produce the same hash value. This vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 6.9 and is classified as medium severity.

Microsoft 365 Copilot (a generative AI assistant built into Microsoft 365) had a security issue where generated images could be accessed without authentication (meaning anyone could view them without logging in). The issue has been fixed. The article also mentions that system prompts (the hidden instructions that guide an AI's behavior) for this tool have been updated over time, including changes to how it accesses enterprise search features.

CVE-2024-56137 is a remote command execution vulnerability (a flaw that lets attackers run system commands from a distance) in MaxKB, an open source knowledge base system that uses RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions). Before version 1.9.0, privileged users could execute operating system commands through custom scripts, but this weakness has been patched in the newer version.

free-one-api, a tool that lets users access large language model reverse engineering libraries (code or techniques to understand how AI models work) through OpenAI's API format, uses MD5 (a password hashing algorithm, or mathematical function to scramble passwords) to protect user passwords in versions 1.0.1 and earlier. MD5 is cryptographically broken (mathematically compromised and no longer secure), making it vulnerable to collision attacks (where attackers can forge different inputs that produce the same hash) and easy to crack with modern computers, putting user credentials at risk.