Back to Codebase

Vulnerability Analysis Report

Drupal Core v8.0.0-beta1

Scan ID: SCAN-DRUPAL-CORE-rWjWr9 • Hash: a223c6b3

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.646s

Vulnerability Details

L71

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:71
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- 16)},focus:function(){function b(){try{this.$.focus()}catch(b){}}return function(a){a?CKEDITOR.tools.setTimeout(b,100,this):b.call(this)}}(),getHtml:function(){var b=this.$.innerHTML;return CKEDITOR.env.ie?b.replace(/<\?[^>]*>/g,""):b},getOuterHtml:function(){if(this.$.outerHTML)return this.$.outerHTML.replace(/<\?[^>]*>/,"");var b=this.$.ownerDocument.createElement("div");b.appendChild(this.$.cloneNode(true));return b.innerHTML},getClientRect:function(){var b=CKEDITOR.tools.extend({},this.$.getBoundingClientRect());
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L72

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:72
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- !b.width&&(b.width=b.right-b.left);!b.height&&(b.height=b.bottom-b.top);return b},setHtml:CKEDITOR.env.ie&&CKEDITOR.env.version<9?function(b){try{var a=this.$;if(this.getParent())return a.innerHTML=b;var c=this.getDocument()._getHtml5ShivFrag();c.appendChild(a);a.innerHTML=b;c.removeChild(a);return b}catch(d){this.$.innerHTML="";a=new CKEDITOR.dom.element("body",this.getDocument());a.$.innerHTML=b;for(a=a.getChildren();a.count();)this.append(a.getItem(0));return b}}:function(b){return this.$.innerHTML=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L251

Insecure DOM Manipulation (XSS) in qunit.js

CWE-79
File Location: core/assets/vendor/jquery.ui/external/qunit.js:251
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- li.innerHTML = assertion.message || ( assertion.result ? "okay" : "failed" );
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L431

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:431
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- 0;g<a.length;g++)if(CKEDITOR.env.webkit)for(e=0;e<b.length;e++){h=b[e][1];for(d=0;d<c.length;d++)h=h.replace(c[d][0],c[d][1]);a[g].$.sheet.addRule(b[e][0],h)}else{h=b;for(d=0;d<c.length;d++)h=h.replace(c[d][0],c[d][1]);CKEDITOR.env.ie&&CKEDITOR.env.version<11?a[g].$.styleSheet.cssText=a[g].$.styleSheet.cssText+h:a[g].$.innerHTML=a[g].$.innerHTML+h}}var g={};CKEDITOR.skin={path:a,loadPart:function(b,d){CKEDITOR.skin.name!=CKEDITOR.skinName.split(",")[0]?CKEDITOR.scriptLoader.load(CKEDITOR.getUrl(a()+
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L657

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:657
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- lt:"<",amp:"&",apos:"'",quot:'"'},a=a.replace(/\b(nbsp|shy|gt|lt|amp|apos|quot)(?:,|$)/g,function(a,d){var f=c?"&"+d+";":g[d];e[f]=c?g[d]:"&"+d+";";b.push(f);return""});if(!c&&a){var a=a.split(","),k=document.createElement("div"),d;k.innerHTML="&"+a.join(";&")+";";d=k.innerHTML;k=null;for(k=0;k<d.length;k++){var h=d.charAt(k);e[h]="&"+a[k]+";";b.push(h)}}e.regex=b.join(c?"|":"");return e}CKEDITOR.plugins.add("entities",{afterInit:function(f){var c=f.config;if(f=(f=f.dataProcessor)&&f.htmlFilter){var e=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output