The vulnerable file is also present in the vBulletin 5 download package though not used by the vBulletin 5 front-end. We recommend that you delete the file and replace it with the attached file.
We have also updated all download packages for vBulletin 4.X and 5.X with the new empty file.
To resolve this issue take the following steps:
- Delete uploader.swf located in clientscript/yui/uploader/assets or /core/clientscript/yui/uploader/assets
- Replace it with the attached file.
Note: We will not be fixing the vulnerability in the SWF file directly nor do we plan to take any other action on this issue at this time.