It has come to our attention that a relatively low risk XSS attack can be performed on an administrator in IPB 2.1.x. For this XSS attack to take place, the malicious user must store an avatar on their server that appears to be a legitimate image file but is actually a script that is set to redirect the browser to another location. The administrator must have 'root' access and must load the avatar in the ACP by searching for the member in the ACP's "Search Member" form.
Even though the XSS attack requires a very specific sequence of events, we consider that it's worth performing this security update. The security update is only a single ACP file which removes the user's avatar from displaying in the search results page. IPB 2.2.0, currently nearing release candidate status has increased security in the ACP which means this attack would not be successful.
To update your installation, simply download the attached file and upload the file "sources/action_admin/member.php" over the one currently used by your installation.