Back to Codebase

Vulnerability Analysis Report

Drupal Core v8.0-alpha12

Scan ID: SCAN-DRUPAL-CORE-vR2S2o • Hash: b7087c1f

Severity Score
High
Total Findings
5
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.774s

Vulnerability Details

L71

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:71
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return function(e){e?CKEDITOR.tools.setTimeout(a,100,this):a.call(this)}}(),getHtml:function(){var a=this.$.innerHTML;return CKEDITOR.env.ie?a.replace(/<\?[^>]*>/g,""):a},getOuterHtml:function(){if(this.$.outerHTML)return this.$.outerHTML.replace(/<\?[^>]*>/,"");var a=this.$.ownerDocument.createElement("div");a.appendChild(this.$.cloneNode(true));return a.innerHTML},getClientRect:function(){var a=CKEDITOR.tools.extend({},this.$.getBoundingClientRect());!a.width&&(a.width=a.right-a.left);!a.height&&
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L426

Insecure DOM Manipulation (XSS) in ckeditor.js

CWE-79
File Location: core/assets/vendor/ckeditor/ckeditor.js:426
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- 0;e<c.length;e++)g=g.replace(c[e][0],c[e][1]);a[f].$.sheet.addRule(b[d][0],g)}else{g=b;for(e=0;e<c.length;e++)g=g.replace(c[e][0],c[e][1]);CKEDITOR.env.ie&&CKEDITOR.env.version<11?a[f].$.styleSheet.cssText=a[f].$.styleSheet.cssText+g:a[f].$.innerHTML=a[f].$.innerHTML+g}}var e={};CKEDITOR.skin={path:b,loadPart:function(a,c){CKEDITOR.skin.name!=CKEDITOR.skinName.split(",")[0]?CKEDITOR.scriptLoader.load(CKEDITOR.getUrl(b()+"skin.js"),function(){d(a,c)}):d(a,c)},getPath:function(a){return CKEDITOR.getUrl(f(a))},
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L101

Insecure DOM Manipulation (XSS) in qunit.js

CWE-79
File Location: core/assets/vendor/jquery.ui/external/qunit.js:101
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- b.innerHTML = this.nameHtml;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L5

Insecure DOM Manipulation (XSS) in html5.js

CWE-79
File Location: core/assets/vendor/html5shiv/html5.js:5
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- a.createElement=function(c){return!e.shivMethods?b.createElem(c):p(c,a,b)};a.createDocumentFragment=Function("h,f","return function(){var n=f.cloneNode(),c=n.createElement;h.shivMethods&&("+m().join().replace(/\w+/g,function(a){b.createElem(a);b.frag.createElement(a);return'c("'+a+'")'})+");return n}")(e,b.frag)}function q(a){a||(a=f);var b=i(a);if(e.shivCSS&&!j&&!b.hasCSS){var c,d=a;c=d.createElement("p");d=d.getElementsByTagName("head")[0]||d.documentElement;c.innerHTML="x<style>article,aside,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}mark{background:#FF0;color:#000}</style>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L251

Insecure DOM Manipulation (XSS) in qunit.js

CWE-79
File Location: core/assets/vendor/jquery.ui/external/qunit.js:251
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- li.innerHTML = assertion.message || ( assertion.result ? "okay" : "failed" );
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output