VBulletin Arbitrary File Upload Vulnerability

VBulletin Arbitrary File Upload Vulnerability

vBulletin is prone to an arbitrary file-upload vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to upload an arbitrary remote file containing malicious HTML and JavaScript code to a bulletin-board message, and then execute arbitrary HTML and script code in the browser of a victim user in the context of the affected site.

Note that this vulnerability occurs only when the malicious message is viewed using Internet Explorer. The code contained in uploaded files will execute in the context of the victim's browser application.