Back to Codebase

Vulnerability Analysis Report

Drupal Core v8.0-alpha7

Scan ID: SCAN-DRUPAL-CORE-KCjLV7 • Hash: 86e8f7ab

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.659s

Vulnerability Details

L627

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:627
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var b=CKEDITOR.plugins.enterkey,f=b.enterBr,i=b.enterBlock,h=/^h[1-6]$/}(),function(){function d(d,c){var a={},b=[],f={nbsp:" ",shy:"­",gt:">",lt:"<",amp:"&",apos:"'",quot:'"'},d=d.replace(/\b(nbsp|shy|gt|lt|amp|apos|quot)(?:,|$)/g,function(d,e){var g=c?"&"+e+";":f[e];a[g]=c?f[e]:"&"+e+";";b.push(g);return""});if(!c&&d){var d=d.split(","),i=document.createElement("div"),h;i.innerHTML="&"+d.join(";&")+";";h=i.innerHTML;i=null;for(i=0;i<h.length;i++){var g=h.charAt(i);a[g]="&"+d[i]+";";b.push(g)}}a.regex=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L101

Insecure DOM Manipulation (XSS) in qunit.js

CWE-79
File Location: core/assets/vendor/jquery.ui/external/qunit.js:101
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- b.innerHTML = this.nameHtml;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L71

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:71
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- c.$.innerHTML=b;for(c=c.getChildren();c.count();)this.append(c.getItem(0));return b}}:b}(),setText:function(b){CKEDITOR.dom.element.prototype.setText=this.$.innerText!=void 0?function(b){return this.$.innerText=b}:function(b){return this.$.textContent=b};return this.setText(b)},getAttribute:function(){var b=function(b){return this.$.getAttribute(b,2)};return CKEDITOR.env.ie&&(CKEDITOR.env.ie7Compat||CKEDITOR.env.ie6Compat)?function(b){switch(b){case "class":b="className";break;case "http-equiv":b=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L671

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:671
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- d);e.ui.addButton&&e.ui.addButton("HorizontalRule",{label:e.lang.horizontalrule.toolbar,command:"horizontalrule",toolbar:"insert,40"})}}})}(),function(){function d(a){var b=this.editor,c=a.document,d=c.body;(a=c.getElementById("cke_actscrpt"))&&a.parentNode.removeChild(a);(a=c.getElementById("cke_shimscrpt"))&&a.parentNode.removeChild(a);if(CKEDITOR.env.gecko){d.contentEditable=false;if(CKEDITOR.env.version<2E4){d.innerHTML=d.innerHTML.replace(/^.*<\!-- cke-content-start --\>/,"");setTimeout(function(){var a=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L403

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:403
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- i);b.setAttribute("type","text/css")}return b}function b(a,b,c){var d,f,g;if(CKEDITOR.env.webkit){b=b.split("}").slice(0,-1);for(f=0;f<b.length;f++)b[f]=b[f].split("{")}for(var e=0;e<a.length;e++)if(CKEDITOR.env.webkit)for(f=0;f<b.length;f++){g=b[f][1];for(d=0;d<c.length;d++)g=g.replace(c[d][0],c[d][1]);a[e].$.sheet.addRule(b[f][0],g)}else{g=b;for(d=0;d<c.length;d++)g=g.replace(c[d][0],c[d][1]);CKEDITOR.env.ie?a[e].$.styleSheet.cssText=a[e].$.styleSheet.cssText+g:a[e].$.innerHTML=a[e].$.innerHTML+
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output