Back to Codebase

Vulnerability Analysis Report

Drupal Core v8.0-alpha9

Scan ID: SCAN-DRUPAL-CORE-v8b2kG • Hash: bad5f337

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.694s

Vulnerability Details

L69

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:69
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- contains:CKEDITOR.env.ie||CKEDITOR.env.webkit?function(b){var f=this.$;return b.type!=CKEDITOR.NODE_ELEMENT?f.contains(b.getParent().$):f!=b.$&&f.contains(b.$)}:function(b){return!!(this.$.compareDocumentPosition(b.$)&16)},focus:function(){function b(){try{this.$.focus()}catch(b){}}return function(f){f?CKEDITOR.tools.setTimeout(b,100,this):b.call(this)}}(),getHtml:function(){var b=this.$.innerHTML;return CKEDITOR.env.ie?b.replace(/<\?[^>]*>/g,""):b},getOuterHtml:function(){if(this.$.outerHTML)return this.$.outerHTML.replace(/<\?[^>]*>/,
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L403

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:403
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- i);b.setAttribute("type","text/css")}return b}function b(a,b,c){var d,f,g;if(CKEDITOR.env.webkit){b=b.split("}").slice(0,-1);for(f=0;f<b.length;f++)b[f]=b[f].split("{")}for(var e=0;e<a.length;e++)if(CKEDITOR.env.webkit)for(f=0;f<b.length;f++){g=b[f][1];for(d=0;d<c.length;d++)g=g.replace(c[d][0],c[d][1]);a[e].$.sheet.addRule(b[f][0],g)}else{g=b;for(d=0;d<c.length;d++)g=g.replace(c[d][0],c[d][1]);CKEDITOR.env.ie?a[e].$.styleSheet.cssText=a[e].$.styleSheet.cssText+g:a[e].$.innerHTML=a[e].$.innerHTML+
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L627

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:627
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- var b=CKEDITOR.plugins.enterkey,f=b.enterBr,i=b.enterBlock,h=/^h[1-6]$/}(),function(){function d(d,c){var a={},b=[],f={nbsp:" ",shy:"­",gt:">",lt:"<",amp:"&",apos:"'",quot:'"'},d=d.replace(/\b(nbsp|shy|gt|lt|amp|apos|quot)(?:,|$)/g,function(d,e){var g=c?"&"+e+";":f[e];a[g]=c?f[e]:"&"+e+";";b.push(g);return""});if(!c&&d){var d=d.split(","),i=document.createElement("div"),h;i.innerHTML="&"+d.join(";&")+";";h=i.innerHTML;i=null;for(i=0;i<h.length;i++){var g=h.charAt(i);a[g]="&"+d[i]+";";b.push(g)}}a.regex=
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L5

Insecure DOM Manipulation (XSS) in html5.js

CWE-79
File Location: core/assets/vendor/html5shiv/html5.js:5
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- a.createElement=function(c){return!e.shivMethods?b.createElem(c):p(c,a,b)};a.createDocumentFragment=Function("h,f","return function(){var n=f.cloneNode(),c=n.createElement;h.shivMethods&&("+m().join().replace(/\w+/g,function(a){b.createElem(a);b.frag.createElement(a);return'c("'+a+'")'})+");return n}")(e,b.frag)}function q(a){a||(a=f);var b=i(a);if(e.shivCSS&&!j&&!b.hasCSS){var c,d=a;c=d.createElement("p");d=d.getElementsByTagName("head")[0]||d.documentElement;c.innerHTML="x<style>article,aside,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}mark{background:#FF0;color:#000}</style>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L632

Insecure DOM Manipulation (XSS) in jquery.form.js

CWE-79
File Location: core/assets/vendor/jquery-form/jquery.form.js:632
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- xhr.responseText = docRoot ? docRoot.innerHTML : null;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output