CVE-2023-28443 MEDIUM

CVE-2023-28443: directus vulnerable to Insertion of Sensitive Information into Log File

Vendor Directus
Product directus
Weakness CWE-532 · Sensitive info in logs
Published March 23, 2023
Last update February 21, 2025

CVSS base score

4.2/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.

Key dates

02Disclosure timeline

March 23, 2023 CVE published
February 21, 2025 Record updated

Related vulnerabilities

04Related CVE