CVE-2008-3184

Name of the Vulnerable Software and Affected Versions: vBulletin versions 3.6.10 PL2 and earlier vBulletin versions 3.7.2 and earlier 3.7.x

Description: The issue allows remote attackers to inject arbitrary web script or HTML via the PATH INFO (PHP SELF) or the do parameter. This can be demonstrated by requests to "upload/admincp/faq.php". The issue can be leveraged to execute arbitrary PHP code.

Recommendations: For vBulletin versions 3.6.10 PL2 and earlier, update to a version later than 3.6.10 PL2 to resolve the issue. For vBulletin versions 3.7.2 and earlier 3.7.x, update to a version later than 3.7.2 to resolve the issue. As a temporary workaround, consider restricting access to the upload/admincp/faq.php endpoint until a patch is available.