Back to Codebase

Vulnerability Analysis Report

Joomla CMS v4.2.2

Scan ID: SCAN-JOOMLA-CORE-edfuTw • Hash: 2b8eba3c

Severity Score
High
Total Findings
20
Engine Version
ECOMGUARD-HYBRID-AST-1.5
Scan Duration
0.966s

Vulnerability Details

L221

Insecure DOM Manipulation (XSS) in sidebyside.es5.js

CWE-79
File Location: build/media_source/com_associations/js/sidebyside.es5.js:221
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('select-change-text').innerHTML = Joomla.sanitizeHtml(document.getElementById('select-change').getAttribute('data-select'));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L125

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:125
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = Joomla.sanitizeHtml(error);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L48

Insecure DOM Manipulation (XSS) in changelog.es6.js

CWE-79
File Location: build/media_source/com_installer/js/changelog.es6.js:48
Security Score:
75 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- modal.innerHTML = Joomla.sanitizeHtml(message);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L227

Insecure DOM Manipulation (XSS) in sidebyside.es5.js

CWE-79
File Location: build/media_source/com_associations/js/sidebyside.es5.js:227
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById('select-change-text').innerHTML = Joomla.sanitizeHtml(document.getElementById('select-change').getAttribute('data-change'));
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L11

Insecure DOM Manipulation (XSS) in admin-compare-compare.es6.js

CWE-79
File Location: build/media_source/com_contenthistory/js/admin-compare-compare.es6.js:11
Security Score:
74 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- textarea.innerHTML = Joomla.sanitizeHtml(html);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L26

Insecure DOM Manipulation (XSS) in admin-update-default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/admin-update-default.es6.js:26
Security Score:
73 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- headerDiv.innerHTML = Joomla.Text._('COM_JOOMLAUPDATE_ERRORMODAL_HEAD_GENERIC');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L93

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:93
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- document.getElementById(`finder-${context[0].replace(/\s+/g, '-').toLowerCase()}`).innerHTML = Joomla.sanitizeHtml(`${json.pluginState[context[0]].offset} of ${json.pluginState[context[0]].total}`);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L27

Insecure DOM Manipulation (XSS) in admin-update-default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/admin-update-default.es6.js:27
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- messageDiv.innerHTML = message;
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L30

Insecure DOM Manipulation (XSS) in admin-update-default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/admin-update-default.es6.js:30
Security Score:
72 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- messageDiv.innerHTML = Joomla.Text._('COM_JOOMLAUPDATE_ERRORMODAL_BODY_INVALIDLOGIN');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L42

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:42
Security Score:
71 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = Joomla.sanitizeHtml(message);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L51

Insecure DOM Manipulation (XSS) in changelog.es6.js

CWE-79
File Location: build/media_source/com_installer/js/changelog.es6.js:51
Security Score:
69 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- modal.innerHTML = Joomla.sanitizeHtml(xhr.statusText);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L111

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:111
Security Score:
68 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = Joomla.sanitizeHtml(json.message);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L44

Insecure DOM Manipulation (XSS) in admin-system-loader.es6.js

CWE-79
File Location: build/media_source/com_cpanel/js/admin-system-loader.es6.js:44
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- elem.innerHTML = Joomla.sanitizeHtml(response.data);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L45

Insecure DOM Manipulation (XSS) in admin-update-default.es6.js

CWE-79
File Location: build/media_source/com_joomlaupdate/js/admin-update-default.es6.js:45
Security Score:
67 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- headerDiv.innerHTML = Joomla.Text._('COM_JOOMLAUPDATE_ERRORMODAL_HEAD_FORBIDDEN');
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L17

Insecure DOM Manipulation (XSS) in admin-compare-compare.es6.js

CWE-79
File Location: build/media_source/com_contenthistory/js/admin-compare-compare.es6.js:17
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- const diff = window.Diff.diffWords(original.innerHTML, changed.innerHTML);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L150

Insecure DOM Manipulation (XSS) in indexer.es6.js

CWE-79
File Location: build/media_source/com_finder/js/indexer.es6.js:150
Security Score:
66 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- progressMessage.innerHTML = Joomla.sanitizeHtml(message);
+ element.textContent = data; // Or use DOMPurify to sanitize HTML output
L1526

Weak Cryptographic Hash (MD5) in ItemModel.php

CWE-327
File Location: administrator/components/com_menus/src/Model/ItemModel.php:1526
Security Score:
37 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(json_encode($associations));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L661

Weak Cryptographic Hash (MD5) in CategoryModel.php

CWE-327
File Location: administrator/components/com_categories/src/Model/CategoryModel.php:661
Security Score:
33 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(json_encode($associations));
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L701

Weak Cryptographic Hash (MD5) in FieldModel.php

CWE-327
File Location: administrator/components/com_fields/src/Model/FieldModel.php:701
Security Score:
28 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $key = md5(serialize($fieldIds) . $itemId);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing
L52

Weak Cryptographic Hash (MD5) in LogcreatorField.php

CWE-327
File Location: administrator/components/com_actionlogs/src/Field/LogcreatorField.php:52
Security Score:
26 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($this->element);
+ password_hash($password, PASSWORD_BCRYPT); // Avoid legacy MD5 for secrets hashing