icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

vBulletin < 3.6.5 .swf ActionScript XSS

Medium

Synopsis

The remote host is vulnerable to a Script Injection attack.

Description

The version of vBulletin installed on the remote host fails to properly sanitize user-supplied input. Given this, the application is prone to a file upload flaw. An attacker exploiting this flaw would create a post that includes a malicious .swf file attachment. The malicious .swf file would be uploaded to the target server. Users viewing the post and executing the .swf file would be vulnerable to a loss of confidential data.

Solution

Upgrade to version 3.6.5 or higher.