The file "Uploader.swf" is located either in located in 'clientscript/yui/uploader/assets' or '/core/clientscript/yui/uploader/assets'.
"It has come to our attention that there is a security issue in the uploader.swf file included as part of the Yahoo User Interface (YUI) library included in vBulletin 4. As the version of YUI included in vBulletin is end-of-lifed, Yahoo will not be fixing this issue." vBulletin Security advisory reads.
Proof of concept: