Back to Codebase

Vulnerability Analysis Report

Joomla CMS v4.0.0-beta7

Scan ID: SCAN-JOOMLA-CORE-QK9YXH • Hash: 4dd9cec1

Severity Score
High
Total Findings
20
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.742s

Vulnerability Details

L33

Insecure DOM Manipulation (XSS) in associations-edit.es6.js

CWE-79
File Location: build/media_source/com_associations/js/associations-edit.es6.js:33
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- html.innerHTML = Joomla.JText._('JGLOBAL_ASSOC_NOT_POSSIBLE');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L11

Insecure DOM Manipulation (XSS) in admin-compare-compare.es6.js

CWE-79
File Location: build/media_source/com_contenthistory/js/admin-compare-compare.es6.js:11
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- textarea.innerHTML = html;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L150

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:150
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = message;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L17

Insecure DOM Manipulation (XSS) in admin-compare-compare.es6.js

CWE-79
File Location: build/media_source/com_contenthistory/js/admin-compare-compare.es6.js:17
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- const diff = window.Diff.diffWords(original.innerHTML, changed.innerHTML);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L48

Insecure DOM Manipulation (XSS) in changelog.es6.js

CWE-79
File Location: build/media_source/com_installer/js/changelog.es6.js:48
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- modal.innerHTML = message;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L218

Insecure DOM Manipulation (XSS) in sidebyside.es5.js

CWE-79
File Location: build/media_source/com_associations/js/sidebyside.es5.js:218
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('select-change-text').innerHTML = document.getElementById('select-change').getAttribute('data-select');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L125

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:125
Security Score:
70 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = error;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L51

Insecure DOM Manipulation (XSS) in changelog.es6.js

CWE-79
File Location: build/media_source/com_installer/js/changelog.es6.js:51
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- modal.innerHTML = xhr.statusText;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L224

Insecure DOM Manipulation (XSS) in sidebyside.es5.js

CWE-79
File Location: build/media_source/com_associations/js/sidebyside.es5.js:224
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('select-change-text').innerHTML = document.getElementById('select-change').getAttribute('data-change');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L42

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:42
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = message;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L111

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:111
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = json.message;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L42

Insecure DOM Manipulation (XSS) in admin-system-loader.es6.js

CWE-79
File Location: build/media_source/com_cpanel/js/admin-system-loader.es6.js:42
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elem.innerHTML = response.data;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L93

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:93
Security Score:
65 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById(`finder-${context[0].replace(/\s+/g, '-').toLowerCase()}`).innerHTML = `${json.pluginState[context[0]].offset} of ${json.pluginState[context[0]].total}`;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L7692

Weak Cryptographic Hash (MD5) in restore.php

CWE-327
File Location: administrator/components/com_joomlaupdate/restore.php:7692
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5($password);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L706

Weak Cryptographic Hash (MD5) in FieldModel.php

CWE-327
File Location: administrator/components/com_fields/src/Model/FieldModel.php:706
Security Score:
33 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(serialize($fieldIds) . $itemId);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L722

Weak Cryptographic Hash (MD5) in CategoryModel.php

CWE-327
File Location: administrator/components/com_categories/src/Model/CategoryModel.php:722
Security Score:
28 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(json_encode($associations));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L7944

Weak Cryptographic Hash (MD5) in restore.php

CWE-327
File Location: administrator/components/com_joomlaupdate/restore.php:7944
Security Score:
28 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $lookupKey = "PBKDF2-$algorithm-$iterations-" . md5($password . $staticSalt);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L50

Weak Cryptographic Hash (MD5) in LogcreatorField.php

CWE-327
File Location: administrator/components/com_actionlogs/src/Field/LogcreatorField.php:50
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($this->element);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L7729

Weak Cryptographic Hash (MD5) in restore.php

CWE-327
File Location: administrator/components/com_joomlaupdate/restore.php:7729
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $lookupKey = md5($password . '-' . $nBits);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L1656

Weak Cryptographic Hash (MD5) in ItemModel.php

CWE-327
File Location: administrator/components/com_menus/src/Model/ItemModel.php:1656
Security Score:
27 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(json_encode($associations));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing