CVE-2023-27474: 
JavaScript vulnerability analysis and mitigation

Directus, a real-time API and App dashboard for managing SQL database content, was found to be vulnerable to an HTML injection attack (CVE-2023-27474) in versions prior to 9.23.0. The vulnerability affects instances that rely on an allow-listed reset URL, where attackers could exploit query parameters in the reset URL to inject malicious code (GitHub Advisory).

The vulnerability stems from improper handling of URL-encoded query parameters in the reset URL functionality. When processing password reset requests, the system incorrectly handles URL encoding, leading to potential HTML injection through query parameters. The issue was specifically identified in the URL handling code that failed to properly encode query parameter components according to RFC specifications (GitHub Issue).

An attacker could exploit this vulnerability to email users URLs to the server's domain containing malicious code. This could potentially lead to phishing attacks or other malicious activities when users interact with the compromised reset URLs (GitHub Advisory).

The vulnerability has been patched in version 9.23.0. Users are advised to upgrade to this version or later. For those unable to upgrade immediately, a workaround is available by disabling the custom reset URL allow list functionality (GitHub Advisory).