Cross-site scripting (XSS) vulnerability in vBulletin 3.0.12 and 3.5.3 allows remote attackers to inject arbitrary web script or HTML via the email field, which is injected in profile.php but not sanitized in sendmsg.php.
secunia.com/advisories/19100
www.kapda.ir/advisory-266.html
www.osvdb.org/23614
www.securityfocus.com/archive/1/426537/100/0/threaded
www.securityfocus.com/archive/1/426589/100/0/threaded
www.securityfocus.com/bid/16919
www.vbulletin.com/forum/showthread.php?postid=1079030
www.vupen.com/english/advisories/2006/0808