3.6.5 has been out for a while now, the post on vBulletins website was made on 1st March...
It is worth noting that in order to exploit the problem highlighted by the report, the attacking user must satisfy the following conditions:
Must already have moderator privileges
Must share the same IP address (or the number of IP octets specified in the Admin Control Panel for IP address matching) with an existing administrator who is currently logged in to the Admin Control Panel
Must know the Alt-IP and user agent (exact browser identification) of the administrator
OR must know the license number of the site being attacked
|