Back to Codebase

Vulnerability Analysis Report

Joomla CMS v6.0.0-rc1

Scan ID: SCAN-JOOMLA-CORE-BC7xNZ • Hash: 22441438

Severity Score
Medium
Total Findings
100
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
1.161s

Vulnerability Details

L39

Insecure DOM Manipulation (XSS) in admin-system-loader.es6.js

CWE-79
File Location: build/media_source/com_cpanel/js/admin-system-loader.es6.js:39
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elem.innerHTML = Joomla.sanitizeHtml(response.data);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L342

Insecure DOM Manipulation (XSS) in plugin.es5.js

CWE-79
File Location: build/media_source/plg_editors_tinymce/js/plugins/jtemplate/plugin.es5.js:342
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- n.innerHTML = sel;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L158

Insecure DOM Manipulation (XSS) in client.es6.js

CWE-79
File Location: build/media_source/plg_installer_webinstaller/js/client.es6.js:158
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- errorContainer.innerHTML = Joomla.sanitizeHtml(request.responseText);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L23

Insecure DOM Manipulation (XSS) in setup.es6.js

CWE-79
File Location: build/media_source/plg_multifactorauth_totp/js/setup.es6.js:23
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elTarget.innerHTML = qr.createImgTag(4);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L162

Insecure DOM Manipulation (XSS) in shortcut.es6.js

CWE-79
File Location: build/media_source/plg_system_shortcut/js/shortcut.es6.js:162
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- intro.innerHTML = Joomla.sanitizeHtml(Joomla.Text._('PLG_SYSTEM_SHORTCUT_OVERVIEW_DESC'), { kbd: '*' });
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L363

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:363
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- if (el.navtype === 50) { el._current = el.innerHTML; }
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L114

Insecure DOM Manipulation (XSS) in validate.es6.js

CWE-79
File Location: build/media_source/system/js/fields/validate.es6.js:114
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elMsg.innerHTML = message !== null ? Joomla.sanitizeHtml(message) : Joomla.sanitizeHtml(Joomla.Text._('JLIB_FORM_FIELD_REQUIRED_VALUE'));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L495

Insecure DOM Manipulation (XSS) in searchtools.es6.js

CWE-79
File Location: build/media_source/system/js/searchtools.es6.js:495
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.orderFieldName.innerHTML += Joomla.sanitizeHtml($option);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L55

Insecure DOM Manipulation (XSS) in template.js

CWE-79
File Location: build/warning_page/template.js:55
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- header.innerHTML = errorLocale[key].header;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L56

Insecure DOM Manipulation (XSS) in template.js

CWE-79
File Location: build/warning_page/template.js:56
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- desc1.innerHTML = errorLocale[key].text1;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L92

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:92
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById(`finder-${context[0].replace(/\s+/g, '-').toLowerCase()}`).innerHTML = Joomla.sanitizeHtml(`${json.pluginState[context[0]].offset} of ${json.pluginState[context[0]].total}`);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L123

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:123
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = Joomla.sanitizeHtml(error);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L520

Insecure DOM Manipulation (XSS) in plugin.es5.js

CWE-79
File Location: build/media_source/plg_editors_tinymce/js/plugins/jtemplate/plugin.es5.js:520
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- e.innerHTML = getDateTime(editor, dateFormat);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L293

Insecure DOM Manipulation (XSS) in management.es6.js

CWE-79
File Location: build/media_source/plg_system_webauthn/js/management.es6.js:293
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elLabelTD.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L705

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:705
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = " ";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L312

Insecure DOM Manipulation (XSS) in joomla-field-media.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-media.w-c.es6.js:312
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.previewElement.innerHTML = Joomla.sanitizeHtml('<span class="field-media-preview-icon"></span>');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L316

Insecure DOM Manipulation (XSS) in joomla-field-media.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-media.w-c.es6.js:316
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.previewElement.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L139

Insecure DOM Manipulation (XSS) in joomla-field-permissions.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-permissions.w-c.es6.js:139
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- badgeSpan.innerHTML = Joomla.sanitizeHtml(response.data.text);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L454

Insecure DOM Manipulation (XSS) in joomla-media-select.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-media-select.w-c.es6.js:454
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.innerHTML = `<details open>
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L41

Insecure DOM Manipulation (XSS) in tab.es6.js

CWE-79
File Location: build/media_source/vendor/bootstrap/js/tab.es6.js:41
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- link.innerHTML = Joomla.sanitizeHtml(element.dataset.title);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L30

Insecure DOM Manipulation (XSS) in template.js

CWE-79
File Location: build/warning_page/template.js:30
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- header.innerHTML = errorLocale[ref].header;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L32

Insecure DOM Manipulation (XSS) in debug.es6.js

CWE-79
File Location: build/media_source/com_finder/js/debug.es6.js:32
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- output.innerHTML = Joomla.sanitizeHtml(parsed.rendered, allowedHtml);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L49

Insecure DOM Manipulation (XSS) in admin-update-default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/admin-update-default.es6.js:49
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- messageDiv.innerHTML = Joomla.Text._('COM_JOOMLAUPDATE_ERRORMODAL_BODY_SERVERERROR');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L177

Insecure DOM Manipulation (XSS) in overrider.es6.js

CWE-79
File Location: build/media_source/com_languages/js/overrider.es6.js:177
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- key.innerHTML = Joomla.sanitizeHtml(item.constant);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L126

Insecure DOM Manipulation (XSS) in admin-item-edit_modules.es6.js

CWE-79
File Location: build/media_source/com_menus/js/admin-item-edit_modules.es6.js:126
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpStatus.innerHTML = createElement('span', Joomla.Text._('JNO'), ['badge', 'bg-danger']).outerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L313

Insecure DOM Manipulation (XSS) in tinymce-builder.es6.js

CWE-79
File Location: build/media_source/plg_editors_tinymce/js/tinymce-builder.es6.js:313
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elem.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L778

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:778
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = "&#160;";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L941

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:941
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = "&#160;";
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L532

Insecure DOM Manipulation (XSS) in joomla-media-select.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-media-select.w-c.es6.js:532
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L17

Insecure DOM Manipulation (XSS) in joomla-hidden-mail.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/joomla-hidden-mail.w-c.es6.js:17
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L174

Insecure DOM Manipulation (XSS) in sidebyside.es6.js

CWE-79
File Location: build/media_source/com_associations/js/sidebyside.es6.js:174
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('select-change-text').innerHTML = Joomla.sanitizeHtml(document.getElementById('select-change').getAttribute('data-change'));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L164

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:164
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = Joomla.sanitizeHtml(message);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L106

Insecure DOM Manipulation (XSS) in admin-item-edit_modules.es6.js

CWE-79
File Location: build/media_source/com_menus/js/admin-item-edit_modules.es6.js:106
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpMenu.innerHTML = createElement('span', Joomla.Text._('JYES'), ['badge', 'bg-success']).outerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L339

Insecure DOM Manipulation (XSS) in plugin.es5.js

CWE-79
File Location: build/media_source/plg_editors_tinymce/js/plugins/jtemplate/plugin.es5.js:339
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- n.innerHTML = getDateTime(editor, getMdateFormat(editor));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L180

Insecure DOM Manipulation (XSS) in joomla-field-subform.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-subform.w-c.es6.js:180
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpEl.innerHTML = this.template;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L116

Insecure DOM Manipulation (XSS) in validate.es6.js

CWE-79
File Location: build/media_source/system/js/fields/validate.es6.js:116
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elMsg.innerHTML = message !== null ? Joomla.sanitizeHtml(message) : Joomla.sanitizeHtml(Joomla.Text._('JLIB_FORM_FIELD_INVALID_VALUE'));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L48

Insecure DOM Manipulation (XSS) in admin-update-default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/admin-update-default.es6.js:48
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- headerDiv.innerHTML = Joomla.Text._('COM_JOOMLAUPDATE_ERRORMODAL_HEAD_SERVERERROR');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L117

Insecure DOM Manipulation (XSS) in admin-item-edit_modules.es6.js

CWE-79
File Location: build/media_source/com_menus/js/admin-item-edit_modules.es6.js:117
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpMenu.innerHTML = createElement('span', Joomla.Text._('JNO'), ['badge', 'bg-danger']).outerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L307

Insecure DOM Manipulation (XSS) in tinymce-builder.es6.js

CWE-79
File Location: build/media_source/plg_editors_tinymce/js/tinymce-builder.es6.js:307
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elem.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L21

Insecure DOM Manipulation (XSS) in extensionupdatecheck.es6.js

CWE-79
File Location: build/media_source/plg_quickicon_extensionupdate/js/extensionupdatecheck.es6.js:21
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- span.innerHTML = Joomla.sanitizeHtml(text);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L617

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:617
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = cs ? Joomla.sanitizeHtml("<div unselectable='on'" + classes + ">" + text + "</div>") : Joomla.sanitizeHtml(text);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L83

Insecure DOM Manipulation (XSS) in joomla-field-module-order.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-module-order.w-c.es6.js:83
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.innerHTML = '';
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L213

Insecure DOM Manipulation (XSS) in overrider.es6.js

CWE-79
File Location: build/media_source/com_languages/js/overrider.es6.js:213
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('jform_override').value = document.getElementById(`override_string${id}`).innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L336

Insecure DOM Manipulation (XSS) in plugin.es5.js

CWE-79
File Location: build/media_source/plg_editors_tinymce/js/plugins/jtemplate/plugin.es5.js:336
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- n.innerHTML = getDateTime(editor, getCdateFormat(editor));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L126

Insecure DOM Manipulation (XSS) in client.es6.js

CWE-79
File Location: build/media_source/plg_installer_webinstaller/js/client.es6.js:126
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('search-reset').innerHTML = Joomla.sanitizeHtml(Joomla.Text._('JSEARCH_FILTER_CLEAR'));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L14

Insecure DOM Manipulation (XSS) in healthcheck.es6.js

CWE-79
File Location: build/media_source/plg_quickicon_autoupdate/js/healthcheck.es6.js:14
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- span.innerHTML = Joomla.sanitizeHtml(text);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L388

Insecure DOM Manipulation (XSS) in joomla-media-select.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-media-select.w-c.es6.js:388
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.innerHTML = `<details open>
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L17

Insecure DOM Manipulation (XSS) in admin-compare-compare.es6.js

CWE-79
File Location: build/media_source/com_contenthistory/js/admin-compare-compare.es6.js:17
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- const diff = window.Diff.diffWords(original.innerHTML, changed.innerHTML);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L48

Insecure DOM Manipulation (XSS) in changelog.es6.js

CWE-79
File Location: build/media_source/com_installer/js/changelog.es6.js:48
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- modal.innerHTML = Joomla.sanitizeHtml(message);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L51

Insecure DOM Manipulation (XSS) in changelog.es6.js

CWE-79
File Location: build/media_source/com_installer/js/changelog.es6.js:51
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- modal.innerHTML = Joomla.sanitizeHtml(xhr.statusText);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L45

Insecure DOM Manipulation (XSS) in admin-update-default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/admin-update-default.es6.js:45
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- headerDiv.innerHTML = Joomla.Text._('COM_JOOMLAUPDATE_ERRORMODAL_HEAD_FORBIDDEN');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L241

Insecure DOM Manipulation (XSS) in default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/default.es6.js:241
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = Joomla.sanitizeHtml(Joomla.Text._('COM_JOOMLAUPDATE_VIEW_DEFAULT_EXTENSIONS_SHOW_LESS_COMPATIBILITY_INFORMATION'));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L472

Insecure DOM Manipulation (XSS) in default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/default.es6.js:472
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- extensionData.element.innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L182

Insecure DOM Manipulation (XSS) in overrider.es6.js

CWE-79
File Location: build/media_source/com_languages/js/overrider.es6.js:182
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- string.innerHTML = Joomla.sanitizeHtml(item.string);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L212

Insecure DOM Manipulation (XSS) in overrider.es6.js

CWE-79
File Location: build/media_source/com_languages/js/overrider.es6.js:212
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('jform_key').value = document.getElementById(`override_key${id}`).innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L111

Insecure DOM Manipulation (XSS) in admin-item-edit_modules.es6.js

CWE-79
File Location: build/media_source/com_menus/js/admin-item-edit_modules.es6.js:111
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpMenu.innerHTML = createElement('span', Joomla.Text._('JALL'), ['badge', 'bg-info']).outerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L123

Insecure DOM Manipulation (XSS) in admin-item-edit_modules.es6.js

CWE-79
File Location: build/media_source/com_menus/js/admin-item-edit_modules.es6.js:123
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpStatus.innerHTML = createElement('span', Joomla.Text._('JYES'), ['badge', 'bg-success']).outerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L222

Insecure DOM Manipulation (XSS) in tinymce-builder.es6.js

CWE-79
File Location: build/media_source/plg_editors_tinymce/js/tinymce-builder.es6.js:222
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- element.innerHTML += Joomla.sanitizeHtml(`<input type="hidden" name="${name}" value="${value}">`);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L103

Insecure DOM Manipulation (XSS) in client.es6.js

CWE-79
File Location: build/media_source/plg_installer_webinstaller/js/client.es6.js:103
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- jedContainer.innerHTML = Joomla.sanitizeHtml(response.data.html, allowList);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L153

Insecure DOM Manipulation (XSS) in joomla-field-subform.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-subform.w-c.es6.js:153
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.template = tmplElement[0].innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L48

Insecure DOM Manipulation (XSS) in joomla-core-loader.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/joomla-core-loader.w-c.es6.js:48
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- template.innerHTML = `
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L85

Insecure DOM Manipulation (XSS) in messages.es6.js

CWE-79
File Location: build/media_source/system/js/messages.es6.js:85
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- titleWrapper.innerHTML = Joomla.sanitizeHtml(`<span class="${type}"></span><span class="visually-hidden">${Joomla.Text._(type) ? Joomla.Text._(type) : type}</span>`);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L31

Insecure DOM Manipulation (XSS) in template.js

CWE-79
File Location: build/warning_page/template.js:31
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- desc1.innerHTML = errorLocale[ref].text1;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L34

Insecure DOM Manipulation (XSS) in debug.es6.js

CWE-79
File Location: build/media_source/com_finder/js/debug.es6.js:34
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- output.innerHTML = Joomla.sanitizeHtml(response, allowedHtml);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L39

Insecure DOM Manipulation (XSS) in debug.es6.js

CWE-79
File Location: build/media_source/com_finder/js/debug.es6.js:39
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- output.innerHTML = xhr.response;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L140

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:140
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- data = div.innerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L37

Insecure DOM Manipulation (XSS) in default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/default.es6.js:37
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- fileSizeElement.innerHTML = Joomla.sanitizeHtml(Joomla.Text._('JGLOBAL_SELECTED_UPLOAD_FILE_SIZE').replace('%s', `${fileSizeMB.toFixed(2)} MB`));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L246

Insecure DOM Manipulation (XSS) in default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/default.es6.js:246
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- el.innerHTML = Joomla.sanitizeHtml(Joomla.Text._('COM_JOOMLAUPDATE_VIEW_DEFAULT_EXTENSIONS_SHOW_MORE_COMPATIBILITY_INFORMATION'));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L129

Insecure DOM Manipulation (XSS) in admin-item-edit_modules.es6.js

CWE-79
File Location: build/media_source/com_menus/js/admin-item-edit_modules.es6.js:129
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- tmpStatus.innerHTML = createElement('span', Joomla.Text._('JTRASHED'), ['badge', 'bg-secondary']).outerHTML;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L24

Insecure DOM Manipulation (XSS) in overridecheck.es6.js

CWE-79
File Location: build/media_source/plg_quickicon_overridecheck/js/overridecheck.es6.js:24
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- span.innerHTML = Joomla.sanitizeHtml(text);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L72

Insecure DOM Manipulation (XSS) in joomla-field-module-order.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/fields/joomla-field-module-order.w-c.es6.js:72
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- node.innerHTML = Joomla.sanitizeHtml(item[2]);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L51

Insecure DOM Manipulation (XSS) in joomla-hidden-mail.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/joomla-hidden-mail.w-c.es6.js:51
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- this.newElement.innerHTML = Joomla.sanitizeHtml(innerStr);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L169

Insecure DOM Manipulation (XSS) in sidebyside.es6.js

CWE-79
File Location: build/media_source/com_associations/js/sidebyside.es6.js:169
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('select-change-text').innerHTML = Joomla.sanitizeHtml(document.getElementById('select-change').getAttribute('data-select'));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L27

Insecure DOM Manipulation (XSS) in admin-update-default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/admin-update-default.es6.js:27
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- messageDiv.innerHTML = message;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L30

Insecure DOM Manipulation (XSS) in admin-update-default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/admin-update-default.es6.js:30
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- messageDiv.innerHTML = Joomla.Text._('COM_JOOMLAUPDATE_ERRORMODAL_BODY_INVALIDLOGIN');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L14

Insecure DOM Manipulation (XSS) in jupdatecheck.es6.js

CWE-79
File Location: build/media_source/plg_quickicon_joomlaupdate/js/jupdatecheck.es6.js:14
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- span.innerHTML = Joomla.sanitizeHtml(text);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L193

Insecure DOM Manipulation (XSS) in joomla-dialog.w-c.es6.js

CWE-79
File Location: build/media_source/system/js/joomla-dialog.w-c.es6.js:193
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- template.innerHTML = this.popupTemplate;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L11

Insecure DOM Manipulation (XSS) in admin-compare-compare.es6.js

CWE-79
File Location: build/media_source/com_contenthistory/js/admin-compare-compare.es6.js:11
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- textarea.innerHTML = Joomla.sanitizeHtml(html);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L42

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:42
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = Joomla.sanitizeHtml(message);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L110

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:110
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = Joomla.sanitizeHtml(json.message);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L26

Insecure DOM Manipulation (XSS) in admin-update-default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/admin-update-default.es6.js:26
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- headerDiv.innerHTML = Joomla.Text._('COM_JOOMLAUPDATE_ERRORMODAL_HEAD_GENERIC');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L46

Insecure DOM Manipulation (XSS) in admin-update-default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/admin-update-default.es6.js:46
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- messageDiv.innerHTML = Joomla.Text._('COM_JOOMLAUPDATE_ERRORMODAL_BODY_FORBIDDEN');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L532

Insecure DOM Manipulation (XSS) in default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/default.es6.js:532
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- pluginTitleTableCell.innerHTML = `${Joomla.sanitizeHtml(pluginTitleTableCell.innerHTML)}
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L282

Insecure DOM Manipulation (XSS) in tinymce-builder.es6.js

CWE-79
File Location: build/media_source/plg_editors_tinymce/js/tinymce-builder.es6.js:282
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- box.innerHTML += createButton(name, item, type);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L153

Insecure DOM Manipulation (XSS) in shortcut.es6.js

CWE-79
File Location: build/media_source/plg_system_shortcut/js/shortcut.es6.js:153
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- dd.innerHTML = Joomla.sanitizeHtml(title);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L615

Insecure DOM Manipulation (XSS) in calendar.es5.js

CWE-79
File Location: build/media_source/system/js/fields/calendar.es5.js:615
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- cell.innerHTML = Joomla.sanitizeHtml("<a " + classes + " style='display:inline;padding:2px 6px;cursor:pointer;text-decoration:none;' unselectable='on'>" + text + "</a>");
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L112

Insecure DOM Manipulation (XSS) in validate.es6.js

CWE-79
File Location: build/media_source/system/js/fields/validate.es6.js:112
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elMsg.innerHTML = message !== null ? Joomla.sanitizeHtml(message) : Joomla.sanitizeHtml(Joomla.Text._('JLIB_FORM_FIELD_REQUIRED_CHECK'));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L93

Insecure DOM Manipulation (XSS) in messages.es6.js

CWE-79
File Location: build/media_source/system/js/messages.es6.js:93
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- messageWrapper.innerHTML += Joomla.sanitizeHtml(`<div class="alert-message">${typeMessage}</div>`);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L145

Weak Cryptographic Hash (MD5) in Category.php

CWE-327
File Location: libraries/src/HTML/Helpers/Category.php:145
Security Score:
38 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($extension . '.' . serialize($config));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L724

Weak Cryptographic Hash (MD5) in FieldModel.php

CWE-327
File Location: administrator/components/com_fields/src/Model/FieldModel.php:724
Security Score:
37 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(serialize($fieldIds) . $itemId);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L137

Weak Cryptographic Hash (MD5) in PasswordHash.php

CWE-327
File Location: libraries/phpass/PasswordHash.php:137
Security Score:
37 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($hash . $password, TRUE);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L539

Weak Cryptographic Hash (MD5) in Access.php

CWE-327
File Location: libraries/src/Access/Access.php:539
Security Score:
37 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5(implode(',', $collected));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L75

Weak Cryptographic Hash (MD5) in ApplicationHelper.php

CWE-327
File Location: libraries/src/Application/ApplicationHelper.php:75
Security Score:
37 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return md5(Factory::getApplication()->get('secret') . $seed);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L203

Weak Cryptographic Hash (MD5) in CallbackController.php

CWE-327
File Location: libraries/src/Cache/Controller/CallbackController.php:203
Security Score:
36 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- return md5($hash . serialize([$args]));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L50

Weak Cryptographic Hash (MD5) in Category.php

CWE-327
File Location: libraries/src/HTML/Helpers/Category.php:50
Security Score:
36 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($extension . '.' . serialize($config));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L101

Weak Cryptographic Hash (MD5) in PredefinedlistField.php

CWE-327
File Location: libraries/src/Form/Field/PredefinedlistField.php:101
Security Score:
35 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($this->element->asXML());
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L1529

Weak Cryptographic Hash (MD5) in ItemModel.php

CWE-327
File Location: administrator/components/com_menus/src/Model/ItemModel.php:1529
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(json_encode($associations));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L415

Weak Cryptographic Hash (MD5) in Factory.php

CWE-327
File Location: libraries/src/Factory.php:415
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($group . $handler . $storage);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L117

Weak Cryptographic Hash (MD5) in Tag.php

CWE-327
File Location: libraries/src/HTML/Helpers/Tag.php:117
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5(serialize($config));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L900

Weak Cryptographic Hash (MD5) in MultiLanguage.php

CWE-327
File Location: plugins/sampledata/multilang/src/Extension/MultiLanguage.php:900
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(json_encode($associations));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing