CVE-2023-27481: 
JavaScript vulnerability analysis and mitigation

CVE-2023-27481 affects Directus, a real-time API and App dashboard for managing SQL database content, in versions prior to 9.16.0. The vulnerability was discovered and disclosed on March 7, 2023, allowing users with read access to the password field in directus_users to extract argon2 password hashes through export functionality exploitation (GitHub Advisory).

The vulnerability allows authenticated users to extract password hashes by exploiting the export functionality combined with a _starts_with filter. The attack vector is network-based with low attack complexity, requiring low privileges and no user interaction. The vulnerability has a CVSS v3.1 score of 6.5 (Moderate) with the following metrics: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N (GitHub Advisory).

The vulnerability enables users with read access to enumerate password hashes from the system. However, account takeover is unlikely with current hardware capabilities due to the use of argon2 hashing algorithm, unless the hashes can be successfully reversed (GitHub Advisory).

The vulnerability has been patched in version 9.16.0 by preventing any hashed/concealed field from being filtered against with the _starts_with or other string operators. For users unable to upgrade, the vulnerability can be mitigated by ensuring that no user has read access to the password field in directus_users (GitHub Advisory).