CVE-2023-28443: 
JavaScript vulnerability analysis and mitigation

Directus, a real-time API and App dashboard for managing SQL database content, was found to have a security vulnerability (CVE-2023-28443) where the directus_refresh_token was not properly redacted from log outputs. This vulnerability was present in versions prior to 9.23.3 and was discovered and disclosed on March 23, 2023. The issue affected all installations of Directus before version 9.23.3 (NVD, GitHub Advisory).

The vulnerability stems from improper redaction of sensitive information in log files. The directus_refresh_token was exposed in log outputs when LOG_STYLE was set to "raw". This issue was particularly concerning as the refresh token could be used to obtain access tokens and impersonate users. The vulnerability received a CVSS v3.1 base score of 5.5 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) according to NVD's assessment (NVD).

The exposure of refresh tokens in log files could allow attackers with access to logs to impersonate legitimate users without their permission. This created significant accountability and non-repudiation issues, as actions taken in the application could no longer be confidently attributed to the actual user. Potential malicious activities could include unauthorized data deletion or content manipulation under the guise of legitimate users (GitHub Advisory).

The vulnerability was patched in Directus version 9.23.3. The fix involved implementing proper redaction of sensitive tokens in the logging system. Organizations using affected versions should upgrade to version 9.23.3 or later to address this security issue (NVD, GitHub Patch).