MyBB 1.8.20 is now available, and is a security & maintenance release.
5 security vulnerabilities addressed:
- Medium risk: Reset Password reflected XSS
- Medium risk: ModCP Profile Editor username reflected XSS — reported by Jovan Zivanovic of MaTRIS Research Group, SBA Research
- Low risk: Predictable CSRF token for guest users — reported by Devilshakerz of MyBB Team
- Low risk: ACP Stylesheet Properties XSS — reported by Cillian Collins
- Low risk: Reset Password username enumeration via email — reported by Abdullah Md. Shaleh
- 42 issues resolved
Check Release Notes for a list of changes to language files, templates and unresolved issues.
The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.