Back to Codebase

Vulnerability Analysis Report

Drupal Core v8.0-alpha3

Scan ID: SCAN-DRUPAL-CORE-I7Gn6l • Hash: 215a71a1

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.657s

Vulnerability Details

L443

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:443
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- d+";\\'></body></html>";e.push('<iframe hidefocus="true" frameborder="0" id="cke_dialog_background_iframe" src="javascript:');e.push("void((function(){"+encodeURIComponent("document.open();("+CKEDITOR.tools.fixDomain+")();document.write( '"+d+"' );document.close();")+"})())");e.push('" style="position:absolute;left:0;top:0;width:100%;height: 100%;filter: progid:DXImageTransform.Microsoft.Alpha(opacity=0)"></iframe>')}e.push("</div>");g=CKEDITOR.dom.element.createFromHtml(e.join(""));g.setOpacity(f!=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L387

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:387
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- h);c.setAttribute("type","text/css")}return c}function f(a,c,b){var d,f,g;if(CKEDITOR.env.webkit){c=c.split("}").slice(0,-1);for(f=0;f<c.length;f++)c[f]=c[f].split("{")}for(var e=0;e<a.length;e++)if(CKEDITOR.env.webkit)for(f=0;f<c.length;f++){g=c[f][1];for(d=0;d<b.length;d++)g=g.replace(b[d][0],b[d][1]);a[e].$.sheet.addRule(c[f][0],g)}else{g=c;for(d=0;d<b.length;d++)g=g.replace(b[d][0],b[d][1]);CKEDITOR.env.ie?a[e].$.styleSheet.cssText=a[e].$.styleSheet.cssText+g:a[e].$.innerHTML=a[e].$.innerHTML+
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L101

Insecure DOM Manipulation (XSS) in qunit.js

CWE-79
File Location: core/assets/vendor/jquery.ui/external/qunit.js:101
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- b.innerHTML = this.nameHtml;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L174

Insecure DOM Manipulation (XSS) in qunit.js

CWE-79
File Location: core/assets/vendor/jquery.ui/external/qunit.js:174
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- running.innerHTML = "Running: <br/>" + this.nameHtml;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L299

Insecure DOM Manipulation (XSS) in qunit.js

CWE-79
File Location: core/assets/vendor/jquery.ui/external/qunit.js:299
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- time.innerHTML = this.runtime + " ms";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output