CVE-2023-28443

low-risk
Published 2023-03-24

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.

Do I need to act?

-
0.13% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.2/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Affected Vendors

Monospace

References (6)

Vendor Advisory https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d...
Patch https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb3531542401...
Exploit https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7
Vendor Advisory https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d...
Patch https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb3531542401...
Exploit https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7
21
/ 100
low-risk
Severity 15/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal