An XSS flaw affecting the vBulletin control panel logging system has been identified, another was found affecting boards running in debug mode. It could allow an attacker to trick an admin into unwittingly performing an action within the control panel that they had not intended. To resolve this issue, it is necessary to release patch level versions of vBulletin 3.7.2 and 3.6.10.
One of the XSS flaws was discovered by Jessica Hope and the other by ourselves.
The upgrade process is the same as previous patch level releases - simply download the patch from the
Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.
As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.
Upgrading from 3.7.2, 3.6.10 or their patch level versions
If you are already running 3.7.2, 3.6.10 or their patch level versions, the process you will be required to follow to make your board immune to the XSS problem is very simple.
There is no need to run an upgrade script if you are already running 3.7.2, 3.6.10 or their patch level versions.
Visit the
Patches section of the vBulletin Members' Area and download either the patch for 3.7.2, or the patch for 3.6.10, according to the version you are currently running, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL1 or PL3 release respectively.
The 3.6.10 PL3 patch file also includes the PL1 and PL2 fixes.
Upgrading from Versions Earlier than 3.7.2 or 3.6.10
If you are
not already running 3.7.2 or 3.6.10, you should download the most latest version from the
Members' Area and perform an upgrade as normal.
Full instructions for upgrading vBulletin are available here. Download vBulletin 3.7.2 PL1 or 3.6.10 PL3
As usual, both versions released today are available for all customers with valid, active licenses to download from the vBulletin Members' Area.
vBulletin Members Area More... 
Linear Mode
