vBulletin '$newpm[title]' Parameter Cross-Site Scripting Vulnerability

vBulletin '$newpm[title]' Parameter Cross-Site Scripting Vulnerability

An attacker can exploit this issue by tricking an unsuspecting user into opening a malicious private message.

The follwing proof-of-concept code will execute when included in the title of a private message:

--></script><script>alert(/xss/.source)</script><!--