Moderate severityNVD Advisory· Published Jun 29, 2007· Updated Apr 23, 2026
CVE-2007-3498
CVE-2007-3498
Description
Cross-site scripting (XSS) vulnerability in smoketests/configForm.php in HTML Purifier before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "unescaped print_r output."
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ezyang/htmlpurifierPackagist | < 2.0.1 | 2.0.1 |
Affected products
1- cpe:2.3:a:htmlpurifier:htmlpurifier:2.0.0:*:*:*:*:*:*:*
Patches
196b571d23639[2.0.1] Fix unescaped print_r that handles user input
1 file changed · +1 −1
smoketests/configForm.php+1 −1 modified@@ -70,7 +70,7 @@ </form> <pre> <?php -print_r($config->getAll()); +echo htmlspecialchars(print_r($config->getAll(), true)); ?> </pre> </body>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- htmlpurifier.org/svnroot/htmlpurifier/tags/2.0.1/NEWSnvdPatchWEB
- github.com/advisories/GHSA-6fh7-fwqj-mv49ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2007-3498ghsaADVISORY
- exchange.xforce.ibmcloud.com/vulnerabilities/35300nvdWEB
- github.com/ezyang/htmlpurifier/commit/96b571d23639bd70768b8db626ecaf8bbb7ca5a3ghsaWEB
- github.com/ezyang/htmlpurifier/commits/v2.0.1/smoketests/configForm.phpghsaWEB
- web.archive.org/web/20200228110020/http://www.securityfocus.com/bid/24699ghsaWEB
- osvdb.org/36722nvd
- www.securityfocus.com/bid/24699nvd
News mentions
0No linked articles in our index yet.