Insanity

**Name of the Vulnerable Software and Affected Versions** vBulletin versions 3.6.x **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via the `prefs` parameter in a "buildnavprefs" action or the `navprefs` parameter in a "savenavprefs" action. **Recommendations** For vBulletin versions 3.6.x, consider disabling the `buildnavprefs` and `savenavprefs` actions until a patch is available to prevent exploitation. Restrict access to the `admincp/index.php` file to minimize the risk of XSS attacks. Avoid using the `prefs` and `navprefs` parameters in the affected actions until the issue is resolved.