Security Vulnerabilities - CVEs Published In October 2024
An issue was discovered in Ollama before 0.1.46. It exposes which files exist on the server on which it is deployed via path traversal in the api/push route.
CVSS Score
7.5
EPSS Score
0.161
Published
2024-10-31
Qualitor v8.24 was discovered to contain a remote code execution (RCE) vulnerability via the gridValoresPopHidden parameter.
CVSS Score
9.8
EPSS Score
0.142
Published
2024-10-31
Qualitor v8.24 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /request/viewValidacao.php.
CVSS Score
7.5
EPSS Score
0.836
Published
2024-10-31
An issue was discovered in Ollama through 0.3.14. File existence disclosure can occur via api/create. When calling the CreateModel route with a path parameter that does not exist, it reflects the "File does not exist" error message to the attacker, providing a primitive for file existence on the server.
CVSS Score
7.5
EPSS Score
0.107
Published
2024-10-31
An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file containing just 4 bytes starting with the GGUF custom magic header. By leveraging a custom Modelfile that includes a FROM statement pointing to the attacker-controlled blob file, the attacker can crash the application through the CreateModel route, leading to a segmentation fault (signal SIGSEGV: segmentation violation).
CVSS Score
8.2
EPSS Score
0.002
Published
2024-10-31
An issue was discovered in Ollama before 0.1.34. The CreateModelHandler function uses os.Open to read a file until completion. The req.Path parameter is user-controlled and can be set to /dev/random, which is blocking, causing the goroutine to run infinitely (even after the HTTP request is aborted by the client).
CVSS Score
7.5
EPSS Score
0.002
Published
2024-10-31
Projectworlds Online Admission System v1 is vulnerable to SQL Injection in index.php via the 'a_id' parameter.
CVSS Score
9.1
EPSS Score
0.001
Published
2024-10-31
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection in add-teacher.php via the mobile number or email parameter.
CVSS Score
9.1
EPSS Score
0.0
Published
2024-10-31
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection via the tid parameter to admin/queries.php.
CVSS Score
9.8
EPSS Score
0.0
Published
2024-10-31
Phpgurukul Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in admin/index.php via the the username parameter.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-10-31