Back to Codebase

Vulnerability Analysis Report

Drupal Core v8.0-alpha6

Scan ID: SCAN-DRUPAL-CORE-Tuy5d3 • Hash: 0c0a7566

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.405s

Vulnerability Details

L105

Insecure DOM Manipulation (XSS) in qunit.js

CWE-79
File Location: core/assets/vendor/jquery.ui/external/qunit.js:105
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- a.innerHTML = "Rerun";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L71

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:71
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- c.$.innerHTML=b;for(c=c.getChildren();c.count();)this.append(c.getItem(0));return b}}:b}(),setText:function(b){CKEDITOR.dom.element.prototype.setText=this.$.innerText!=void 0?function(b){return this.$.innerText=b}:function(b){return this.$.textContent=b};return this.setText(b)},getAttribute:function(){var b=function(b){return this.$.getAttribute(b,2)};return CKEDITOR.env.ie&&(CKEDITOR.env.ie7Compat||CKEDITOR.env.ie6Compat)?function(b){switch(b){case "class":b="className";break;case "http-equiv":b=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L69

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:69
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- contains:CKEDITOR.env.ie||CKEDITOR.env.webkit?function(b){var f=this.$;return b.type!=CKEDITOR.NODE_ELEMENT?f.contains(b.getParent().$):f!=b.$&&f.contains(b.$)}:function(b){return!!(this.$.compareDocumentPosition(b.$)&16)},focus:function(){function b(){try{this.$.focus()}catch(b){}}return function(f){f?CKEDITOR.tools.setTimeout(b,100,this):b.call(this)}}(),getHtml:function(){var b=this.$.innerHTML;return CKEDITOR.env.ie?b.replace(/<\?[^>]*>/g,""):b},getOuterHtml:function(){if(this.$.outerHTML)return this.$.outerHTML.replace(/<\?[^>]*>/,
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L6

Insecure DOM Manipulation (XSS) in html5.js

CWE-79
File Location: core/assets/vendor/html5shiv/html5.js:6
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- c=d.insertBefore(c.lastChild,d.firstChild);b.hasCSS=!!c}g||t(a,b);return a}var k=l.html5||{},s=/^<|^(?:button|map|select|textarea|object|iframe|option|optgroup)$/i,r=/^(?:a|b|code|div|fieldset|h1|h2|h3|h4|h5|h6|i|label|li|ol|p|q|span|strong|style|table|tbody|td|th|tr|ul)$/i,j,o="_html5shiv",h=0,n={},g;(function(){try{var a=f.createElement("a");a.innerHTML="<xyz></xyz>";j="hidden"in a;var b;if(!(b=1==a.childNodes.length)){f.createElement("a");var c=f.createDocumentFragment();b="undefined"==typeof c.cloneNode||
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L174

Insecure DOM Manipulation (XSS) in qunit.js

CWE-79
File Location: core/assets/vendor/jquery.ui/external/qunit.js:174
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- running.innerHTML = "Running: <br/>" + this.nameHtml;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output