Back to Codebase

Vulnerability Analysis Report

Drupal Core v8.0-alpha5

Scan ID: SCAN-DRUPAL-CORE-mpJk99 • Hash: 7f53f8c6

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.536s

Vulnerability Details

L403

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:403
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- i);b.setAttribute("type","text/css")}return b}function b(a,b,c){var d,f,g;if(CKEDITOR.env.webkit){b=b.split("}").slice(0,-1);for(f=0;f<b.length;f++)b[f]=b[f].split("{")}for(var e=0;e<a.length;e++)if(CKEDITOR.env.webkit)for(f=0;f<b.length;f++){g=b[f][1];for(d=0;d<c.length;d++)g=g.replace(c[d][0],c[d][1]);a[e].$.sheet.addRule(b[f][0],g)}else{g=b;for(d=0;d<c.length;d++)g=g.replace(c[d][0],c[d][1]);CKEDITOR.env.ie?a[e].$.styleSheet.cssText=a[e].$.styleSheet.cssText+g:a[e].$.innerHTML=a[e].$.innerHTML+
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L91

Insecure DOM Manipulation (XSS) in jquery.metadata.js

CWE-79
File Location: core/assets/vendor/jquery.ui/external/jquery.metadata.js:91
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- data = $.trim(e[0].innerHTML);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L671

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:671
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- d);e.ui.addButton&&e.ui.addButton("HorizontalRule",{label:e.lang.horizontalrule.toolbar,command:"horizontalrule",toolbar:"insert,40"})}}})}(),function(){function d(a){var b=this.editor,c=a.document,d=c.body;(a=c.getElementById("cke_actscrpt"))&&a.parentNode.removeChild(a);(a=c.getElementById("cke_shimscrpt"))&&a.parentNode.removeChild(a);if(CKEDITOR.env.gecko){d.contentEditable=false;if(CKEDITOR.env.version<2E4){d.innerHTML=d.innerHTML.replace(/^.*<\!-- cke-content-start --\>/,"");setTimeout(function(){var a=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L70

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:70
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- "");var b=this.$.ownerDocument.createElement("div");b.appendChild(this.$.cloneNode(true));return b.innerHTML},getClientRect:function(){var b=CKEDITOR.tools.extend({},this.$.getBoundingClientRect());!b.width&&(b.width=b.right-b.left);!b.height&&(b.height=b.bottom-b.top);return b},setHtml:function(){var b=function(b){return this.$.innerHTML=b};return CKEDITOR.env.ie&&CKEDITOR.env.version<9?function(b){try{return this.$.innerHTML=b}catch(a){this.$.innerHTML="";var c=new CKEDITOR.dom.element("body",this.getDocument());
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L617

Insecure DOM Manipulation (XSS) in jquery.form.js

CWE-79
File Location: core/assets/vendor/jquery-form/jquery.form.js:617
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- if (!isXml && window.opera && (doc.body === null || !doc.body.innerHTML)) {
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output