Back to Codebase

Vulnerability Analysis Report

Drupal Core v8.7.0-alpha2

Scan ID: SCAN-DRUPAL-CORE-B8gBg1 • Hash: 6e62a992

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.647s

Vulnerability Details

L94

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:94
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- ""):b},getOuterHtml:function(){if(this.$.outerHTML)return this.$.outerHTML.replace(/<\?[^>]*>/,"");var b=this.$.ownerDocument.createElement("div");b.appendChild(this.$.cloneNode(!0));return b.innerHTML},getClientRect:function(b){var g=CKEDITOR.tools.extend({},this.$.getBoundingClientRect());!g.width&&(g.width=g.right-g.left);!g.height&&(g.height=g.bottom-g.top);return b?CKEDITOR.tools.getAbsoluteRectPosition(this.getWindow(),g):g},setHtml:CKEDITOR.env.ie&&9>CKEDITOR.env.version?function(b){try{var g=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1326

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: core/assets/vendor/jquery/jquery.js:1326
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = "<a href='' disabled='disabled'></a>" +
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L9761

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: core/assets/vendor/jquery/jquery.js:9761
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- body.innerHTML = "<form></form><form></form>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1287

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: core/assets/vendor/jquery/jquery.js:1287
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- docElem.appendChild( el ).innerHTML = "<a id='" + expando + "'></a>" +
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L95

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:95
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.$;if(this.getParent())return g.innerHTML=b;var c=this.getDocument()._getHtml5ShivFrag();c.appendChild(g);g.innerHTML=b;c.removeChild(g);return b}catch(a){this.$.innerHTML="";g=new CKEDITOR.dom.element("body",this.getDocument());g.$.innerHTML=b;for(g=g.getChildren();g.count();)this.append(g.getItem(0));return b}}:function(b){return this.$.innerHTML=b},setText:function(){var b=document.createElement("p");b.innerHTML="x";b=b.textContent;return function(g){this.$[b?"textContent":"innerText"]=g}}(),
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output