Back to Codebase

Vulnerability Analysis Report

Drupal Core v8.0.0-alpha14

Scan ID: SCAN-DRUPAL-CORE-10LDp7 • Hash: e56b06c5

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.802s

Vulnerability Details

L5

Insecure DOM Manipulation (XSS) in html5.js

CWE-79
File Location: core/assets/vendor/html5shiv/html5.js:5
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- a.createElement=function(c){return!e.shivMethods?b.createElem(c):p(c,a,b)};a.createDocumentFragment=Function("h,f","return function(){var n=f.cloneNode(),c=n.createElement;h.shivMethods&&("+m().join().replace(/\w+/g,function(a){b.createElem(a);b.frag.createElement(a);return'c("'+a+'")'})+");return n}")(e,b.frag)}function q(a){a||(a=f);var b=i(a);if(e.shivCSS&&!j&&!b.hasCSS){var c,d=a;c=d.createElement("p");d=d.getElementsByTagName("head")[0]||d.documentElement;c.innerHTML="x<style>article,aside,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}mark{background:#FF0;color:#000}</style>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L675

Insecure DOM Manipulation (XSS) in jquery.form.js

CWE-79
File Location: core/assets/vendor/jquery-form/jquery.form.js:675
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- xhr.responseText = docRoot ? docRoot.innerHTML : null;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L6

Insecure DOM Manipulation (XSS) in html5.js

CWE-79
File Location: core/assets/vendor/html5shiv/html5.js:6
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- c=d.insertBefore(c.lastChild,d.firstChild);b.hasCSS=!!c}g||t(a,b);return a}var k=l.html5||{},s=/^<|^(?:button|map|select|textarea|object|iframe|option|optgroup)$/i,r=/^(?:a|b|code|div|fieldset|h1|h2|h3|h4|h5|h6|i|label|li|ol|p|q|span|strong|style|table|tbody|td|th|tr|ul)$/i,j,o="_html5shiv",h=0,n={},g;(function(){try{var a=f.createElement("a");a.innerHTML="<xyz></xyz>";j="hidden"in a;var b;if(!(b=1==a.childNodes.length)){f.createElement("a");var c=f.createDocumentFragment();b="undefined"==typeof c.cloneNode||
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L694

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:694
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- {init:function(f){if(!f.blockless){f.addCommand("horizontalrule",b);f.ui.addButton&&f.ui.addButton("HorizontalRule",{label:f.lang.horizontalrule.toolbar,command:"horizontalrule",toolbar:"insert,40"})}}})}(),function(){function b(b){var a=this.editor,e=b.document,d=e.body;(b=e.getElementById("cke_actscrpt"))&&b.parentNode.removeChild(b);(b=e.getElementById("cke_shimscrpt"))&&b.parentNode.removeChild(b);if(CKEDITOR.env.gecko){d.contentEditable=false;if(CKEDITOR.env.version<2E4){d.innerHTML=d.innerHTML.replace(/^.*<\!-- cke-content-start --\>/,
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L101

Insecure DOM Manipulation (XSS) in qunit.js

CWE-79
File Location: core/assets/vendor/jquery.ui/external/qunit.js:101
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- b.innerHTML = this.nameHtml;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output