CVE-2006-4273

Name of the Vulnerable Software and Affected Versions vBulletin versions 3.5.4 through 3.6.0

Description A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML by uploading an attachment with a .pdf extension that contains JavaScript. This JavaScript is processed as script by Microsoft Internet Explorer 6.

Recommendations For versions 3.5.4 and 3.6.0, consider disabling the attachment upload feature until a fix is available, or restrict the types of files that can be uploaded to prevent malicious attachments.