How to Manually Create a Database for Provisioning Services

This article describes how to manually create a database for Provisioning Services when the database administrator prefers to create the database manually. Requirements The DbScript.exe file located in “C:\Program Files\Citrix\Provisioning Services”. SQL Database Server. SysAdmin privileges to ru...

CVE-2024-39896

Directus (real-time API/admin for SQL content) has a user-enumeration flaw when relying on SSO providers together with local login. If an email exists and belongs to a known SSO provider, Directus may emit a “helpful” error indicating the user belongs to another provider, enabling enumeration of ...

CVE-2024-39896 Directus allows SSO User Enumeration

Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs t...

CVE-2024-39896 Directus allows SSO User Enumeration

Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs t...

CVE-2024-39701

Directus is a real-time API and App dashboard for managing SQL database content. Directus =9.23.0, =v10.5.3 improperly handles in, nin operators. It evaluates empty arrays as valid so expressions like "role": "in": $CURRENTUSER.somefield would evaluate to true allowing the request to pass. This...

CVE-2024-39701 Directus Incorrectly handles _in` filter

Directus is a real-time API and App dashboard for managing SQL database content. Directus =9.23.0, =v10.5.3 improperly handles in, nin operators. It evaluates empty arrays as valid so expressions like "role": "in": $CURRENTUSER.somefield would evaluate to true allowing the request to pass. This...

CVE-2024-39699 Directus has a Blind SSRF On File Import

Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security...

Directus Security Vulnerabilities

Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 10.12.0. An attacker exploited the vulnerability to overwhelm the server by requesting the same field multiple times in a single query...

Prompt Injection Flaw in Vanna AI Exposes Databases to RCE Attacks

Cybersecurity researchers have disclosed a high-severity security flaw in the Vanna.AI library that could be exploited to achieve remote code execution vulnerability via prompt injection techniques. The vulnerability, tracked as CVE-2024-5565 CVSS score: 8.1, relates to a case of prompt injection...

CVE-2024-37309

CrateDB is a distributed SQL database. A high-risk vulnerability has been identified in versions prior to 5.7.2 where the TLS endpoint port 4200 permits client-initiated renegotiation. In this scenario, an attacker can exploit this feature to repeatedly request renegotiation of security parameter...

CVE-2024-37309

CVE-2024-37309 affects CrateDB

CVE-2024-36128 Directus is soft-locked by providing a string value to random string util

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of...

CVE-2024-36128 Directus is soft-locked by providing a string value to random string util

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of...

CVE-2024-36128 Directus is soft-locked by providing a string value to random string util

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of...

CVE-2024-34708

Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API. Normally, these redacted fields will return however if we...

CVE-2024-34709 Directus Lacks Session Tokens Invalidation

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directussession gets destroyed and the cookie gets deleted but if the cookie value is...

CVE-2024-34709 Directus Lacks Session Tokens Invalidation

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directussession gets destroyed and the cookie gets deleted but if the cookie value is...

CVE-2024-34709

Directus before version 10.11.0 does not invalidate session tokens on logout. The directus_session cookie is destroyed, but if the cookie value is captured, it remains valid for the token’s full expiry (1 day by default), effectively making it a long-lived, unrevokable stateless token. The issue ...

CVE-2024-34708 Directus allows redacted data extraction on the API through "alias"

Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API. Normally, these redacted fields will return however if we...

CVE-2024-34708 Directus allows redacted data extraction on the API through "alias"

Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API. Normally, these redacted fields will return however if we...