CVE-2006-3253

Name of the Vulnerable Software and Affected Versions vBulletin versions 3.5.x

Description A cross-site scripting (XSS) issue in member.php allows remote attackers to inject arbitrary web script or HTML via the u parameter. The vendor has disputed this report, stating that they have been unable to replicate the issue and that the userid parameter is run through their filtering system as an unsigned integer.

Recommendations For vBulletin versions 3.5.x, as a temporary workaround, consider restricting access to the member.php file until the issue is resolved. Avoid using the u parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.