Back to Codebase

Vulnerability Analysis Report

Drupal Core v8.0.0-beta3

Scan ID: SCAN-DRUPAL-CORE-CQlEFB • Hash: 4f87658e

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.976s

Vulnerability Details

L487

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:487
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- g.push("void((function(){"+encodeURIComponent("document.open();("+CKEDITOR.tools.fixDomain+")();document.write( '"+d+"' );document.close();")+"})())");g.push('" style="position:absolute;left:0;top:0;width:100%;height: 100%;filter: progid:DXImageTransform.Microsoft.Alpha(opacity=0)"></iframe>')}g.push("</div>");h=CKEDITOR.dom.element.createFromHtml(g.join(""));h.setOpacity(e!=void 0?e:0.5);h.on("keydown",n);h.on("keypress",n);h.on("keyup",n);h.appendTo(CKEDITOR.document.getBody());w[c]=h}a.focusManager.add(h);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L251

Insecure DOM Manipulation (XSS) in qunit.js

CWE-79
File Location: core/assets/vendor/jquery.ui/external/qunit.js:251
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- li.innerHTML = assertion.message || ( assertion.result ? "okay" : "failed" );
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L72

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:72
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- !b.width&&(b.width=b.right-b.left);!b.height&&(b.height=b.bottom-b.top);return b},setHtml:CKEDITOR.env.ie&&CKEDITOR.env.version<9?function(b){try{var a=this.$;if(this.getParent())return a.innerHTML=b;var c=this.getDocument()._getHtml5ShivFrag();c.appendChild(a);a.innerHTML=b;c.removeChild(a);return b}catch(d){this.$.innerHTML="";a=new CKEDITOR.dom.element("body",this.getDocument());a.$.innerHTML=b;for(a=a.getChildren();a.count();)this.append(a.getItem(0));return b}}:function(b){return this.$.innerHTML=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L703

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:703
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.editor,e=a.document,d=e.body,h=e.getElementById("cke_actscrpt");h&&h.parentNode.removeChild(h);(h=e.getElementById("cke_shimscrpt"))&&h.parentNode.removeChild(h);(h=e.getElementById("cke_basetagscrpt"))&&h.parentNode.removeChild(h);if(CKEDITOR.env.gecko){d.contentEditable=false;if(CKEDITOR.env.version<2E4){d.innerHTML=d.innerHTML.replace(/^.*<\!-- cke-content-start --\>/,"");setTimeout(function(){var a=new CKEDITOR.dom.range(new CKEDITOR.dom.document(e));a.setStart(new CKEDITOR.dom.node(d),0);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L675

Insecure DOM Manipulation (XSS) in jquery.form.js

CWE-79
File Location: core/assets/vendor/jquery-form/jquery.form.js:675
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- xhr.responseText = docRoot ? docRoot.innerHTML : null;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output