Back to Codebase

Vulnerability Analysis Report

Drupal Core v8.7.10

Scan ID: SCAN-DRUPAL-CORE-KQosX5 • Hash: 515ab26c

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.85s

Vulnerability Details

L95

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:95
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- g!=d.$&&g.contains(d.$)},focus:function(){function d(){try{this.$.focus()}catch(d){}}return function(g){g?CKEDITOR.tools.setTimeout(d,100,this):d.call(this)}}(),getHtml:function(){var d=this.$.innerHTML;return CKEDITOR.env.ie?d.replace(/<\?[^>]*>/g,""):d},getOuterHtml:function(){if(this.$.outerHTML)return this.$.outerHTML.replace(/<\?[^>]*>/,"");var d=this.$.ownerDocument.createElement("div");d.appendChild(this.$.cloneNode(!0));return d.innerHTML},getClientRect:function(d){var g=CKEDITOR.tools.extend({},
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L502

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:502
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- d.length;c++)g=g.replace(d[c][0],d[c][1]);b[f].$.sheet.addRule(a[e][0],g)}else{g=a;for(c=0;c<d.length;c++)g=g.replace(d[c][0],d[c][1]);CKEDITOR.env.ie&&11>CKEDITOR.env.version?b[f].$.styleSheet.cssText+=g:b[f].$.innerHTML+=g}}var l={};CKEDITOR.skin={path:e,loadPart:function(b,a){CKEDITOR.skin.name!=CKEDITOR.skinName.split(",")[0]?CKEDITOR.scriptLoader.load(CKEDITOR.getUrl(e()+"skin.js"),function(){c(b,a)}):c(b,a)},getPath:function(b){return CKEDITOR.getUrl(f(b))},icons:{},addIcon:function(b,a,d,c){b=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L2749

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: core/assets/vendor/jquery/jquery.js:2749
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = "<a href='#'></a>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L2762

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: core/assets/vendor/jquery/jquery.js:2762
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = "<input/>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L96

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:96
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.$.getBoundingClientRect());!g.width&&(g.width=g.right-g.left);!g.height&&(g.height=g.bottom-g.top);return d?CKEDITOR.tools.getAbsoluteRectPosition(this.getWindow(),g):g},setHtml:CKEDITOR.env.ie&&9>CKEDITOR.env.version?function(d){try{var g=this.$;if(this.getParent())return g.innerHTML=d;var b=this.getDocument()._getHtml5ShivFrag();b.appendChild(g);g.innerHTML=d;b.removeChild(g);return d}catch(a){this.$.innerHTML="";g=new CKEDITOR.dom.element("body",this.getDocument());g.$.innerHTML=d;for(g=g.getChildren();g.count();)this.append(g.getItem(0));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output