vBulletin 4.0.8 PL1: XSS (Cross Site Scripting) Filter Bypass Vulnerability within Profile Customization

Users of vBulletin 4.0.8 PL1 please be advised of a XSS (Cross Site Scripting) Filter Bypass vulnerability within Profile Customization that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

vBulletin-SA-11/23/2010: vBulletin 4.0.8 PL1 – XSS Filter Bypass within Profile Customization
-:: The Advisory ::-
vBulletin is prone to a Persistent Cross Site Scripting vulnerability within the
Profile Customization feature. If this feature is not enabled the vulnerability
does not exist and the installation of vBulletin is thereby secure.

Within the profile customization fields, it is possible to enter colour codes,
rgb codes and even images. The image url() function does not sanitize user
input in a sufficient way causing vBulletin to be vulnerable to XSS attacks.

With the previous patch for vBulletin 4.0.8 PL1, most attacks were disabled
however it is possible to bypass this filter and inject data which is then executed
effectively against though not limited to Internet Explorer 6.

Read more at http://www.criticalwatch.com