vBulletin < 3.6.5 .swf ActionScript XSS
Medium Nessus Network Monitor Plugin ID 3869
SynopsisThe remote host is vulnerable to a Script Injection attack.
DescriptionThe version of vBulletin installed on the remote host fails to properly sanitize user-supplied input. Given this, the application is prone to a file upload flaw. An attacker exploiting this flaw would create a post that includes a malicious .swf file attachment. The malicious .swf file would be uploaded to the target server. Users viewing the post and executing the .swf file would be vulnerable to a loss of confidential data.
SolutionUpgrade to version 3.6.5 or higher.