Back to Codebase

Vulnerability Analysis Report

Joomla CMS v4.0.0-alpha11

Scan ID: SCAN-JOOMLA-CORE-AaNKQg • Hash: 7f8f6aae

Severity Score
Critical
Total Findings
100
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.962s

Vulnerability Details

L612

Dynamic Code Execution in HtmlDocument.php

CWE-94
File Location: libraries/src/Document/HtmlDocument.php:612
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return eval($str);
+ // Avoid dynamic function/code evaluation. Rewrite with native callbacks.
L13

Insecure DOM Manipulation (XSS) in admin-compare-compare.es6.js

CWE-79
File Location: build/media_source/com_contenthistory/js/admin-compare-compare.es6.js:13
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- const diff = window.JsDiff.diffWords(original.innerHTML, changed.innerHTML);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L42

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:42
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = message;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L53

Insecure DOM Manipulation (XSS) in admin-module-edit.es6.js

CWE-79
File Location: build/media_source/com_modules/js/admin-module-edit.es6.js:53
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpMenu.innerHTML = `<span class="badge badge-info">${Joomla.JText._('JALL')}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L85

Insecure DOM Manipulation (XSS) in admin-module-edit.es6.js

CWE-79
File Location: build/media_source/com_modules/js/admin-module-edit.es6.js:85
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpStatus.innerHTML = `<span class="badge badge-danger">${Joomla.JText._('JNO')}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L74

Insecure DOM Manipulation (XSS) in stats-message.es6.js

CWE-79
File Location: build/media_source/plg_system_stats/js/stats-message.es6.js:74
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- messageContainer.innerHTML = json.html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L974

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:974
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this._nav_month.getElementsByTagName('span')[0].innerHTML = this.params.debug ? month + ' ' + JoomlaCalLocale.months[month] : JoomlaCalLocale.months[month];
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L89

Insecure DOM Manipulation (XSS) in passwordstrength.es5.js

CWE-79
File Location: build/media_source/system/js/fields/passwordstrength.es5.js:89
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- label.innerHTML = Joomla.JText._('JFIELD_PASSWORD_INDICATE_COMPLETE');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L105

Insecure DOM Manipulation (XSS) in passwordstrength.es5.js

CWE-79
File Location: build/media_source/system/js/fields/passwordstrength.es5.js:105
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- label.innerHTML = Joomla.JText._('JFIELD_PASSWORD_INDICATE_INCOMPLETE');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L114

Insecure DOM Manipulation (XSS) in passwordstrength.es5.js

CWE-79
File Location: build/media_source/system/js/fields/passwordstrength.es5.js:114
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- label.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L307

Insecure DOM Manipulation (XSS) in client.es6.js

CWE-79
File Location: build/media_source/plg_installer_webinstaller/js/client.es6.js:307
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- uploadUrlContainer.innerHTML = installUrl;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L72

Insecure DOM Manipulation (XSS) in joomla-field-module-order.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-module-order.w-c.es6.js:72
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- node.innerHTML = item[2];
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L101

Insecure DOM Manipulation (XSS) in passwordstrength.es5.js

CWE-79
File Location: build/media_source/system/js/fields/passwordstrength.es5.js:101
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- label.innerHTML = Joomla.JText._('JFIELD_PASSWORD_INDICATE_INCOMPLETE');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L122

Insecure DOM Manipulation (XSS) in validate.es6.js

CWE-79
File Location: build/media_source/system/js/fields/validate.es6.js:122
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elMsg.innerHTML = message || Joomla.JText._('JLIB_FORM_FIELD_REQUIRED_VALUE');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1492

Insecure DOM Manipulation (XSS) in jquery.ui.core.es5.js

CWE-79
File Location: build/media_source/vendor/jquery-ui/js/jquery.ui.core.es5.js:1492
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- testElement.innerHTML = "";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L110

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:110
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = json.message;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L124

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:124
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = error;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L221

Insecure DOM Manipulation (XSS) in overrider.es6.js

CWE-79
File Location: build/media_source/com_languages/js/overrider.es6.js:221
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('jform_override').value = document.getElementById(`override_string${id}`).innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L68

Insecure DOM Manipulation (XSS) in admin-module-edit.es6.js

CWE-79
File Location: build/media_source/com_modules/js/admin-module-edit.es6.js:68
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpMenu.innerHTML = `<span class="badge badge-info">${Joomla.JText._('JALL')}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L24

Insecure DOM Manipulation (XSS) in jupdatecheck.es6.js

CWE-79
File Location: build/media_source/plg_quickicon_joomlaupdate/js/jupdatecheck.es6.js:24
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- span.innerHTML = text;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L900

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:900
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = "&#160;";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L975

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:975
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.title.getElementsByTagName('span')[0].innerHTML = this.params.debug ? year + ' ' + Date.convertNumbers(year.toString()) : Date.convertNumbers(year.toString());
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L223

Insecure DOM Manipulation (XSS) in joomla-field-media.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-media.w-c.es6.js:223
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L148

Insecure DOM Manipulation (XSS) in admin-articles-workflow-buttons.es6.js

CWE-79
File Location: build/media_source/com_content/js/admin-articles-workflow-buttons.es6.js:148
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- modalcontent.innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L43

Insecure DOM Manipulation (XSS) in admin-system-loader.es6.js

CWE-79
File Location: build/media_source/com_cpanel/js/admin-system-loader.es6.js:43
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elem.innerHTML = response.data;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L312

Insecure DOM Manipulation (XSS) in tinymce-builder.es6.js

CWE-79
File Location: build/media_source/plg_editors_tinymce/js/tinymce-builder.es6.js:312
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elem.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L187

Insecure DOM Manipulation (XSS) in client.es6.js

CWE-79
File Location: build/media_source/plg_installer_webinstaller/js/client.es6.js:187
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- errorContainer.innerHTML = request.responseText;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L221

Insecure DOM Manipulation (XSS) in joomla-field-media.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-media.w-c.es6.js:221
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- div.innerHTML = '<span class="field-media-preview-icon"></span>';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L251

Insecure DOM Manipulation (XSS) in joomla-field-simple-color.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-simple-color.w-c.es6.js:251
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.icon.innerHTML = `<span class="sr-only">${this.textSelect}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L93

Insecure DOM Manipulation (XSS) in passwordstrength.es5.js

CWE-79
File Location: build/media_source/system/js/fields/passwordstrength.es5.js:93
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- label.innerHTML = Joomla.JText._('JFIELD_PASSWORD_INDICATE_INCOMPLETE');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L24

Insecure DOM Manipulation (XSS) in template.js

CWE-79
File Location: build/warning_page/template.js:24
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- header.innerHTML = errorLocale[ref].header;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L216

Insecure DOM Manipulation (XSS) in sidebyside.es5.js

CWE-79
File Location: build/media_source/com_associations/js/sidebyside.es5.js:216
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('select-change-text').innerHTML = document.getElementById('select-change').getAttribute('data-select');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L48

Insecure DOM Manipulation (XSS) in changelog.es6.js

CWE-79
File Location: build/media_source/com_installer/js/changelog.es6.js:48
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- modal.innerHTML = message;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L189

Insecure DOM Manipulation (XSS) in overrider.es6.js

CWE-79
File Location: build/media_source/com_languages/js/overrider.es6.js:189
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- string.innerHTML = item.string;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L199

Insecure DOM Manipulation (XSS) in overrider.es6.js

CWE-79
File Location: build/media_source/com_languages/js/overrider.es6.js:199
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- noresult.innerHTML = Joomla.JText._('COM_LANGUAGES_VIEW_OVERRIDE_NO_RESULTS');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L78

Insecure DOM Manipulation (XSS) in admin-item-edit_modules.es6.js

CWE-79
File Location: build/media_source/com_menus/js/admin-item-edit_modules.es6.js:78
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- body.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L678

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:678
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = " ";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L82

Insecure DOM Manipulation (XSS) in joomla-field-module-order.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-module-order.w-c.es6.js:82
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L139

Insecure DOM Manipulation (XSS) in joomla-field-permissions.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-permissions.w-c.es6.js:139
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- badgeSpan.innerHTML = response.data.text;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L124

Insecure DOM Manipulation (XSS) in validate.es6.js

CWE-79
File Location: build/media_source/system/js/fields/validate.es6.js:124
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elMsg.innerHTML = message || Joomla.JText._('JLIB_FORM_FIELD_INVALID_VALUE');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L222

Insecure DOM Manipulation (XSS) in sidebyside.es5.js

CWE-79
File Location: build/media_source/com_associations/js/sidebyside.es5.js:222
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('select-change-text').innerHTML = document.getElementById('select-change').getAttribute('data-change');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L220

Insecure DOM Manipulation (XSS) in overrider.es6.js

CWE-79
File Location: build/media_source/com_languages/js/overrider.es6.js:220
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('jform_key').value = document.getElementById(`override_key${id}`).innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L56

Insecure DOM Manipulation (XSS) in admin-module-edit.es6.js

CWE-79
File Location: build/media_source/com_modules/js/admin-module-edit.es6.js:56
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpMenu.innerHTML = `<span class="badge badge-success">${Joomla.JText._('JYES')}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L318

Insecure DOM Manipulation (XSS) in tinymce-builder.es6.js

CWE-79
File Location: build/media_source/plg_editors_tinymce/js/tinymce-builder.es6.js:318
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elem.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L595

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:595
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = cs ? "<div unselectable='on'" + classes + ">" + text + "</div>" : text;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L651

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:651
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = JoomlaCalLocale.shortDays[(i + fdow) % 7];
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L229

Insecure DOM Manipulation (XSS) in joomla-field-simple-color.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-simple-color.w-c.es6.js:229
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- close.innerHTML = this.textClose;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L97

Insecure DOM Manipulation (XSS) in passwordstrength.es5.js

CWE-79
File Location: build/media_source/system/js/fields/passwordstrength.es5.js:97
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- label.innerHTML = Joomla.JText._('JFIELD_PASSWORD_INDICATE_INCOMPLETE');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L152

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:152
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = message;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L43

Insecure DOM Manipulation (XSS) in admin-module-edit.es6.js

CWE-79
File Location: build/media_source/com_modules/js/admin-module-edit.es6.js:43
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpMenu.innerHTML = `<span class="badge badge-danger">${Joomla.JText._('JNO')}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L32

Insecure DOM Manipulation (XSS) in helpsite.es5.js

CWE-79
File Location: build/media_source/legacy/js/helpsite.es5.js:32
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById(select_id).innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L286

Insecure DOM Manipulation (XSS) in tinymce-builder.es6.js

CWE-79
File Location: build/media_source/plg_editors_tinymce/js/tinymce-builder.es6.js:286
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- box.innerHTML += $btn;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L24

Insecure DOM Manipulation (XSS) in extensionupdatecheck.es6.js

CWE-79
File Location: build/media_source/plg_quickicon_extensionupdate/js/extensionupdatecheck.es6.js:24
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- span.innerHTML = text;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L17

Insecure DOM Manipulation (XSS) in joomla-hidden-mail.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/joomla-hidden-mail.w-c.es6.js:17
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L407

Insecure DOM Manipulation (XSS) in searchtools.es6.js

CWE-79
File Location: build/media_source/system/js/searchtools.es6.js:407
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.theForm.innerHTML += this.orderField.outerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L184

Insecure DOM Manipulation (XSS) in overrider.es6.js

CWE-79
File Location: build/media_source/com_languages/js/overrider.es6.js:184
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- key.innerHTML = item.constant;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L39

Insecure DOM Manipulation (XSS) in edit-images.es6.js

CWE-79
File Location: build/media_source/com_media/js/edit-images.es6.js:39
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- baseContainer.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L81

Insecure DOM Manipulation (XSS) in admin-module-edit.es6.js

CWE-79
File Location: build/media_source/com_modules/js/admin-module-edit.es6.js:81
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpStatus.innerHTML = `<span class="badge badge-success">${Joomla.JText._('JYES')}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L89

Insecure DOM Manipulation (XSS) in admin-module-edit.es6.js

CWE-79
File Location: build/media_source/com_modules/js/admin-module-edit.es6.js:89
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpStatus.innerHTML = `<span class="badge badge-default">${Joomla.JText._('JTRASHED')}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L33

Insecure DOM Manipulation (XSS) in admin-template-compare.es6.js

CWE-79
File Location: build/media_source/com_templates/js/admin-template-compare.es6.js:33
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- const diff = JsDiff.diffLines(original.innerHTML, changed.innerHTML);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L475

Insecure DOM Manipulation (XSS) in core.es6.js

CWE-79
File Location: build/media_source/system/js/core.es6.js:475
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- buttonWrapper.innerHTML = '×';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L486

Insecure DOM Manipulation (XSS) in core.es6.js

CWE-79
File Location: build/media_source/system/js/core.es6.js:486
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- titleWrapper.innerHTML = Joomla.Text._(type) ? Joomla.Text._(type) : type;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L624

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:624
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = JoomlaCalLocale.wk;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L910

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:910
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = this.params.debug ? iday : Date.convertNumbers(iday); // translated day number for each cell
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L978

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:978
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this._nav_month.getElementsByTagName('span')[0].innerHTML = !this.params.monthBefore ? JoomlaCalLocale.months[month] + ' - ' + tmpYear : tmpYear + ' - ' + JoomlaCalLocale.months[month] ;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L220

Insecure DOM Manipulation (XSS) in joomla-field-simple-color.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-simple-color.w-c.es6.js:220
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = `<span class="sr-only">${a11yColor}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L157

Insecure DOM Manipulation (XSS) in joomla-field-subform.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-subform.w-c.es6.js:157
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.template = tmplElement[0].innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L184

Insecure DOM Manipulation (XSS) in joomla-field-subform.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-subform.w-c.es6.js:184
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpEl.innerHTML = this.template;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L120

Insecure DOM Manipulation (XSS) in validate.es6.js

CWE-79
File Location: build/media_source/system/js/fields/validate.es6.js:120
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elMsg.innerHTML = message || Joomla.JText._('JLIB_FORM_FIELD_REQUIRED_CHECK');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L51

Insecure DOM Manipulation (XSS) in joomla-hidden-mail.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/joomla-hidden-mail.w-c.es6.js:51
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.newElement.innerHTML = innerStr;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L434

Insecure DOM Manipulation (XSS) in searchtools.es6.js

CWE-79
File Location: build/media_source/system/js/searchtools.es6.js:434
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.orderFieldName.innerHTML += $option;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L71

Insecure DOM Manipulation (XSS) in admin-module-edit.es6.js

CWE-79
File Location: build/media_source/com_modules/js/admin-module-edit.es6.js:71
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpMenu.innerHTML = `<span class="badge badge-success">${Joomla.JText._('JYES')}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L39

Insecure DOM Manipulation (XSS) in helpsite.es5.js

CWE-79
File Location: build/media_source/legacy/js/helpsite.es5.js:39
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- node.innerHTML = item.text;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L223

Insecure DOM Manipulation (XSS) in tinymce-builder.es6.js

CWE-79
File Location: build/media_source/plg_editors_tinymce/js/tinymce-builder.es6.js:223
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- element.innerHTML += input;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L311

Insecure DOM Manipulation (XSS) in client.es6.js

CWE-79
File Location: build/media_source/plg_installer_webinstaller/js/client.es6.js:311
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- nameElement.innerHTML = name;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L749

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:749
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = "&#160;";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L121

Insecure DOM Manipulation (XSS) in joomla-field-user.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-user.w-c.es6.js:121
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.modalBody.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L126

Insecure DOM Manipulation (XSS) in joomla-field-user.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-user.w-c.es6.js:126
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.modalBody.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L33

Insecure DOM Manipulation (XSS) in associations-edit.es6.js

CWE-79
File Location: build/media_source/com_associations/js/associations-edit.es6.js:33
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- html.innerHTML = Joomla.JText._('JGLOBAL_ASSOC_NOT_POSSIBLE');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L64

Insecure DOM Manipulation (XSS) in admin-articles-workflow-buttons.es6.js

CWE-79
File Location: build/media_source/com_content/js/admin-articles-workflow-buttons.es6.js:64
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- modalcontent.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L51

Insecure DOM Manipulation (XSS) in changelog.es6.js

CWE-79
File Location: build/media_source/com_installer/js/changelog.es6.js:51
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- modal.innerHTML = xhr.statusText;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L261

Insecure DOM Manipulation (XSS) in edit-images.es6.js

CWE-79
File Location: build/media_source/com_media/js/edit-images.es6.js:261
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- container.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L47

Insecure DOM Manipulation (XSS) in admin-module-edit.es6.js

CWE-79
File Location: build/media_source/com_modules/js/admin-module-edit.es6.js:47
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpMenu.innerHTML = `<span class="badge badge-info">${Joomla.JText._('JALL')}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L61

Insecure DOM Manipulation (XSS) in admin-module-edit.es6.js

CWE-79
File Location: build/media_source/com_modules/js/admin-module-edit.es6.js:61
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpMenu.innerHTML = `<span class="badge badge-danger">${Joomla.JText._('JNO')}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L95

Insecure DOM Manipulation (XSS) in admin-module-edit.es6.js

CWE-79
File Location: build/media_source/com_modules/js/admin-module-edit.es6.js:95
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- window.parent.document.querySelector(`#access-${options.itemId}`).innerHTML = window.parent.viewLevels[updAccess];
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L27

Insecure DOM Manipulation (XSS) in overridecheck.es6.js

CWE-79
File Location: build/media_source/plg_quickicon_overridecheck/js/overridecheck.es6.js:27
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- span.innerHTML = text;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L493

Insecure DOM Manipulation (XSS) in core.es6.js

CWE-79
File Location: build/media_source/system/js/core.es6.js:493
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- messageWrapper.innerHTML = typeMessage;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L593

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:593
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = "<a " + classes + " style='display:inline;padding:2px 6px;cursor:pointer;text-decoration:none;' unselectable='on'>" + text + "</a>";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L877

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:877
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = date.getLocalWeekNumber(this.params.dateType); //date.convertNumbers();
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L30

Insecure DOM Manipulation (XSS) in Notifications.js

CWE-79
File Location: administrator/components/com_media/resources/scripts/app/Notifications.js:30
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- alert.innerHTML = Joomla.JText._(message, message) || '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L92

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:92
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById(`finder-${context[0].replace(/\s+/g, '-').toLowerCase()}`).innerHTML = `${json.pluginState[context[0]].offset} of ${json.pluginState[context[0]].total}`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L66

Insecure DOM Manipulation (XSS) in edit-images.es6.js

CWE-79
File Location: build/media_source/com_media/js/edit-images.es6.js:66
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- container.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L76

Insecure DOM Manipulation (XSS) in admin-module-edit.es6.js

CWE-79
File Location: build/media_source/com_modules/js/admin-module-edit.es6.js:76
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpMenu.innerHTML = `<span class="badge badge-danger">${Joomla.JText._('JNO')}</span>`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L85

Insecure DOM Manipulation (XSS) in client.es6.js

CWE-79
File Location: build/media_source/plg_installer_webinstaller/js/client.es6.js:85
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- jedContainer.innerHTML = response.data.html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L334

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:334
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- if (el.navtype === 50) { el._current = el.innerHTML; }
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L49

Insecure DOM Manipulation (XSS) in template.js

CWE-79
File Location: build/warning_page/template.js:49
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- header.innerHTML = errorLocale[key].header;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1411

Weak Cryptographic Hash (MD5) in LanguagesModel.php

CWE-327
File Location: installation/src/Model/LanguagesModel.php:1411
Security Score:
38 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(json_encode($associations));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L74

Weak Cryptographic Hash (MD5) in ApplicationHelper.php

CWE-327
File Location: libraries/src/Application/ApplicationHelper.php:74
Security Score:
38 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return md5(Factory::getApplication()->get('secret') . $seed);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L229

Weak Cryptographic Hash (MD5) in SocketTransport.php

CWE-327
File Location: libraries/src/Http/Transport/SocketTransport.php:229
Security Score:
38 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5($host . $port);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L904

Weak Cryptographic Hash (MD5) in multilang.php

CWE-327
File Location: plugins/sampledata/multilang/multilang.php:904
Security Score:
38 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(json_encode($associations));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing