Tweet
Potential XSS in vBulletin 3.0.7 and older
It has come to our attention that an XSS issue exists within vBulletin 3 in versions up to and including 3.0.7.
However, the circumstances that allow this XSS issue to be exploited are rare so the vast majority of installations will be unaffected.
Your installation is vulnerable if
Both of these settings can be found in vBulletin Options > Message Searching Options (Default Search)
If you are unable to change these settings, you can simply overwrite the existing includes/functions_search.php file with the one attached to this thread. If neither of these conditions applies to you, there is no need to download this file at all.
However, the circumstances that allow this XSS issue to be exploited are rare so the vast majority of installations will be unaffected.
Your installation is vulnerable if
- You do not Allow Search Wild Cards or
- You have a very large Search Index Minimum Word Length value (more than ten characters)
Both of these settings can be found in vBulletin Options > Message Searching Options (Default Search)
If you are unable to change these settings, you can simply overwrite the existing includes/functions_search.php file with the one attached to this thread. If neither of these conditions applies to you, there is no need to download this file at all.
