Back to Codebase

Vulnerability Analysis Report

Joomla CMS vsearchjan3

Scan ID: SCAN-JOOMLA-CORE-2GMfj0 • Hash: 0abdc563

Severity Score
High
Total Findings
20
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.715s

Vulnerability Details

L470

Dynamic Code Execution in html.php

CWE-94
File Location: libraries/joomla/document/html/html.php:470
Security Score:
97 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return eval($str);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L1000

Weak Cryptographic Hash (MD5) in search.php

CWE-327
File Location: components/com_finder/models/search.php:1000
Security Score:
38 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $suffix = JString::substr(md5(JString::substr($token, 0, 1)), 0, 1);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L1126

Weak Cryptographic Hash (MD5) in web.php

CWE-327
File Location: libraries/joomla/application/web.php:1126
Security Score:
38 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $name = md5($this->get('secret') . $this->get('session_name', get_class($this)));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L230

Weak Cryptographic Hash (MD5) in path.php

CWE-327
File Location: libraries/joomla/filesystem/path.php:230
Security Score:
37 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $tmp = md5(JUserHelper::genRandomPassword(16));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L73

Weak Cryptographic Hash (MD5) in storage.php

CWE-327
File Location: libraries/joomla/cache/storage.php:73
Security Score:
36 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->_hash = md5($config->get('secret'));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L251

Weak Cryptographic Hash (MD5) in factory.php

CWE-327
File Location: libraries/joomla/factory.php:251
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($group . $handler . $storage);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L431

Weak Cryptographic Hash (MD5) in cache.php

CWE-327
File Location: libraries/joomla/cache/cache.php:431
Security Score:
33 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5(serialize($this->_options));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L344

Weak Cryptographic Hash (MD5) in html.php

CWE-327
File Location: libraries/joomla/document/html/html.php:344
Security Score:
32 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5(serialize(array($name, $attribs, $result, $renderer)));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L42

Weak Cryptographic Hash (MD5) in category.php

CWE-327
File Location: libraries/joomla/html/html/category.php:42
Security Score:
32 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($extension . '.' . serialize($config));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L982

Weak Cryptographic Hash (MD5) in application.php

CWE-327
File Location: libraries/joomla/application/application.php:982
Security Score:
31 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return md5(JFactory::getConfig()->get('secret') . $seed);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L620

Weak Cryptographic Hash (MD5) in ldap.php

CWE-327
File Location: libraries/joomla/client/ldap.php:620
Security Score:
30 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $userpassword = '{MD5}' . base64_encode(pack('H*', md5($password)));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L896

Weak Cryptographic Hash (MD5) in search.php

CWE-327
File Location: components/com_finder/models/search.php:896
Security Score:
28 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $suffix = JString::substr(md5(JString::substr($token, 0, 1)), 0, 1);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L198

Weak Cryptographic Hash (MD5) in categories.php

CWE-327
File Location: libraries/joomla/application/categories.php:198
Security Score:
28 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($extension . serialize($options));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L397

Weak Cryptographic Hash (MD5) in search.php

CWE-327
File Location: components/com_finder/models/search.php:397
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $suffix = JString::substr(md5(JString::substr($token, 0, 1)), 0, 1);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L695

Weak Cryptographic Hash (MD5) in search.php

CWE-327
File Location: components/com_finder/models/search.php:695
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $suffix = JString::substr(md5(JString::substr($token, 0, 1)), 0, 1);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L349

Weak Cryptographic Hash (MD5) in reset.php

CWE-327
File Location: components/com_users/models/reset.php:349
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hashedToken = md5($token.$salt).':'.$salt;
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L159

Weak Cryptographic Hash (MD5) in modelform.php

CWE-327
File Location: libraries/joomla/application/component/modelform.php:159
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($source . serialize($options));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L1200

Weak Cryptographic Hash (MD5) in item.php

CWE-327
File Location: administrator/components/com_menus/models/item.php:1200
Security Score:
25 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(json_encode($associations));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L551

Weak Cryptographic Hash (MD5) in search.php

CWE-327
File Location: components/com_finder/models/search.php:551
Security Score:
25 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $suffix = JString::substr(md5(JString::substr($token, 0, 1)), 0, 1);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L107

Weak Cryptographic Hash (MD5) in helper.php

CWE-327
File Location: libraries/joomla/form/helper.php:107
Security Score:
25 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5($type);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing