Although 3.6.9 was intended to be the final maintenance release for the 3.6.x series, the discovery of a CSRF (cross-site request forgery) vulnerability in vBulletin over the weekend has forced the release of an update to plug the hole.

The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

The fix for the CSRF issue involves many files and many templates, so unfortunately it is not feasible to produce a patch or a plugin to address the problem. Only a full-scale update will work.

We recommend that customers running versions of vBulletin older than 3.6.10 upgrade as soon as possible.

Template Changes Automatically Applied

With one exception (userinfraction_view), all the template changes in this release require a revert, but they are simple to apply so the upgrade script will attempt to do this for you. The list below shows which templates will be affected by the change, and how they will be altered. Customized templates will be automatically updated, but your customized changes will be retained.

More... (http://www.vbulletin.com/forum/showthread.php?p=1545680#post1545680)

Well....this one forces the hand. Whenever there is a security vulnerability, you should upgrade asap. I have another site of my own, and manage a couple of others that are on vb3.6.8. I have not upgraded them because I did not want to do two upgrades.

A recently-discovered CSRF (cross-site request forgery) vulnerability in vBulletin has required the release of a new version of vBulletin. vBulletin 3.6.10 contains various bug fixes back-ported from vBulletin 3.7.0 but most importantly, includes the fix for the CSRF problem.

The vulnerability potentially allows an administrator to be lured to a third party site that could submit a form on their behalf and without their knowledge, with the potential to damage the forum of which the targeted person is an administrator. Actions performed within the Admin Control Panel are NOT vulnerable to this attack vector and are unaffected by the CSRF vulnerability.

We recommend that all customers running versions of vBulletin older than 3.6.10 upgrade as soon as possible. Those running pre-release versions of vBulletin 3.7.0 should upgrade to the newly-released 3.7.0 Release Candidate 4, which also contains the security fix.

Unfortunately, the number of files and templates changed by the fix for the CSRF issue mean that a simple patch or plugin would be insufficient to secure vBulletin installations, so it is necessary to perform a full-scale upgrade.

Those running boards with customized templates will be pleased to learn that with a single exception, all template changes related to this security fix are applied automatically to customized templates by the upgrade process without affecting their layout.

Full details of the release can be found in the vBulletin 3.6.10 release announcement thread: