CVE-2024-33883

low-risk
Published 2024-04-28

The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.

Do I need to act?

~
1.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.0/10 Medium
LOCAL / LOW complexity

References (6)

https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5
https://github.com/mde/ejs/compare/v3.1.9...v3.1.10
https://security.netapp.com/advisory/ntap-20240605-0003/
https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5
https://github.com/mde/ejs/compare/v3.1.9...v3.1.10
https://security.netapp.com/advisory/ntap-20240605-0003/
23
/ 100
low-risk
Severity 14/34 · Moderate
Exploitability 4/34 · Minimal
Exposure 5/34 · Minimal