A recently-discovered CSRF (cross-site request forgery) vulnerability in vBulletin has required the release of a new version of vBulletin. vBulletin 3.6.10 contains various bug fixes back-ported from vBulletin 3.7.0 but most importantly, includes the fix for the CSRF problem.
The vulnerability potentially allows an administrator to be lured to a third party site that could submit a form on their behalf and without their knowledge, with the potential to damage the forum of which the targeted person is an administrator. Actions performed within the Admin Control Panel are NOT vulnerable to this attack vector and are unaffected by the CSRF vulnerability.
We recommend that all customers running versions of vBulletin older than 3.6.10 upgrade as soon as possible. Those running pre-release versions of vBulletin 3.7.0 should upgrade to the newly-released 3.7.0 Release Candidate 4, which also contains the security fix.
Unfortunately, the number of files and templates changed by the fix for the CSRF issue mean that a simple patch or plugin would be insufficient to secure vBulletin installations, so it is necessary to perform a full-scale upgrade.
Those running boards with customized templates will be pleased to learn that with a single exception, all template changes related to this security fix are applied automatically to customized templates by the upgrade process without affecting their layout.
