Source: http://www.securityfocus.com/bid/5997/info
vBulletin does not filter HTML tags from URI parameters, making it prone to cross-site scripting attacks.