Back to Codebase

Vulnerability Analysis Report

Joomla CMS vvPBF2

Scan ID: SCAN-JOOMLA-CORE-3ZL0OA • Hash: 2321994d

Severity Score
High
Total Findings
20
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.536s

Vulnerability Details

L470

Dynamic Code Execution in html.php

CWE-94
File Location: libraries/joomla/document/html/html.php:470
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return eval($str);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L893

Weak Cryptographic Hash (MD5) in search.php

CWE-327
File Location: components/com_finder/models/search.php:893
Security Score:
38 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $suffix = JString::substr(md5(JString::substr($token, 0, 1)), 0, 1);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L997

Weak Cryptographic Hash (MD5) in search.php

CWE-327
File Location: components/com_finder/models/search.php:997
Security Score:
37 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $suffix = JString::substr(md5(JString::substr($token, 0, 1)), 0, 1);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L1127

Weak Cryptographic Hash (MD5) in web.php

CWE-327
File Location: libraries/joomla/application/web.php:1127
Security Score:
37 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $name = md5($this->get('secret') . $this->get('session_name', get_class($this)));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L126

Weak Cryptographic Hash (MD5) in categories.php

CWE-327
File Location: libraries/joomla/application/categories.php:126
Security Score:
36 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($extension . serialize($options));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L150

Weak Cryptographic Hash (MD5) in modelform.php

CWE-327
File Location: libraries/joomla/application/component/modelform.php:150
Security Score:
36 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($source . serialize($options));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L394

Weak Cryptographic Hash (MD5) in search.php

CWE-327
File Location: components/com_finder/models/search.php:394
Security Score:
35 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $suffix = JString::substr(md5(JString::substr($token, 0, 1)), 0, 1);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L344

Weak Cryptographic Hash (MD5) in html.php

CWE-327
File Location: libraries/joomla/document/html/html.php:344
Security Score:
35 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5(serialize(array($name, $attribs, $result, $renderer)));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L349

Weak Cryptographic Hash (MD5) in reset.php

CWE-327
File Location: components/com_users/models/reset.php:349
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hashedToken = md5($token.$salt).':'.$salt;
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L958

Weak Cryptographic Hash (MD5) in application.php

CWE-327
File Location: libraries/joomla/application/application.php:958
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return md5(JFactory::getConfig()->get('secret') . $seed);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L231

Weak Cryptographic Hash (MD5) in path.php

CWE-327
File Location: libraries/joomla/filesystem/path.php:231
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $tmp = md5(JUserHelper::genRandomPassword(16));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L1152

Weak Cryptographic Hash (MD5) in item.php

CWE-327
File Location: administrator/components/com_menus/models/item.php:1152
Security Score:
33 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(json_encode($associations));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L431

Weak Cryptographic Hash (MD5) in cache.php

CWE-327
File Location: libraries/joomla/cache/cache.php:431
Security Score:
33 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5(serialize($this->_options));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L620

Weak Cryptographic Hash (MD5) in ldap.php

CWE-327
File Location: libraries/joomla/client/ldap.php:620
Security Score:
32 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $userpassword = '{MD5}' . base64_encode(pack('H*', md5($password)));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L73

Weak Cryptographic Hash (MD5) in storage.php

CWE-327
File Location: libraries/joomla/cache/storage.php:73
Security Score:
31 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->_hash = md5($config->get('secret'));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L251

Weak Cryptographic Hash (MD5) in factory.php

CWE-327
File Location: libraries/joomla/factory.php:251
Security Score:
28 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($group . $handler . $storage);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L107

Weak Cryptographic Hash (MD5) in helper.php

CWE-327
File Location: libraries/joomla/form/helper.php:107
Security Score:
28 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5($type);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L42

Weak Cryptographic Hash (MD5) in category.php

CWE-327
File Location: libraries/joomla/html/html/category.php:42
Security Score:
28 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($extension . '.' . serialize($config));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L692

Weak Cryptographic Hash (MD5) in search.php

CWE-327
File Location: components/com_finder/models/search.php:692
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $suffix = JString::substr(md5(JString::substr($token, 0, 1)), 0, 1);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L548

Weak Cryptographic Hash (MD5) in search.php

CWE-327
File Location: components/com_finder/models/search.php:548
Security Score:
26 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $suffix = JString::substr(md5(JString::substr($token, 0, 1)), 0, 1);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing