Further to the issue that was rectified with vB 4.0.8 PL1, an additional concern was identified that may affect users utilizing IE6.
The flaw may enable users to upload a script to their own profile, and viewers of that profile when utilizing IE6 may be exploited.
This issue only affects vBulletin 4.0.8/vBulletin 4.0.8 PL1 where User Profile Customization has been enabled by the administrator. No other versions of vBulletin are affected. Versions of vBulletin 4.0.8/4.0.8 PL1 that do not have User Profile Customization enabled, or elect to disable the User Profile Customization are also not affected.
To rectify the issue please either download the patch from the members area of vBulletin: Please Log In
Or disable user profile...