Back to Codebase

Vulnerability Analysis Report

Drupal Core v8.7.7

Scan ID: SCAN-DRUPAL-CORE-TG2r5U • Hash: 673271cc

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.87s

Vulnerability Details

L95

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:95
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- g!=d.$&&g.contains(d.$)},focus:function(){function d(){try{this.$.focus()}catch(d){}}return function(g){g?CKEDITOR.tools.setTimeout(d,100,this):d.call(this)}}(),getHtml:function(){var d=this.$.innerHTML;return CKEDITOR.env.ie?d.replace(/<\?[^>]*>/g,""):d},getOuterHtml:function(){if(this.$.outerHTML)return this.$.outerHTML.replace(/<\?[^>]*>/,"");var d=this.$.ownerDocument.createElement("div");d.appendChild(this.$.cloneNode(!0));return d.innerHTML},getClientRect:function(d){var g=CKEDITOR.tools.extend({},
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L560

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:560
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- g.push("void((function(){"+encodeURIComponent("document.open();("+CKEDITOR.tools.fixDomain+")();document.write( '"+e+"' );document.close();")+"})())"),g.push('" style\x3d"position:absolute;left:0;top:0;width:100%;height: 100%;filter: progid:DXImageTransform.Microsoft.Alpha(opacity\x3d0)"\x3e\x3c/iframe\x3e')),g.push("\x3c/div\x3e"),f=CKEDITOR.dom.element.createFromHtml(g.join("")),f.setOpacity(void 0!==c?c:.5),f.on("keydown",n),f.on("keypress",n),f.on("keyup",n),f.appendTo(CKEDITOR.document.getBody()),
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L97

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:97
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return d}}:function(d){return this.$.innerHTML=d},setText:function(){var d=document.createElement("p");d.innerHTML="x";d=d.textContent;return function(g){this.$[d?"textContent":"innerText"]=g}}(),getAttribute:function(){var d=function(d){return this.$.getAttribute(d,2)};return CKEDITOR.env.ie&&(CKEDITOR.env.ie7Compat||CKEDITOR.env.quirks)?function(d){switch(d){case "class":d="className";break;case "http-equiv":d="httpEquiv";break;case "name":return this.$.name;case "tabindex":return d=this.$.getAttribute(d,
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L2749

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: core/assets/vendor/jquery/jquery.js:2749
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = "<a href='#'></a>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L9761

Insecure DOM Manipulation (XSS) in jquery.js

CWE-79
File Location: core/assets/vendor/jquery/jquery.js:9761
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- body.innerHTML = "<form></form><form></form>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output