MyBB 1.8.21 is now available, and is a security & maintenance release.
This version includes updated jQuery and SCeditor, JSON Syndication format, improved PostgreSQL support, improved PHP >= 7.1 compatibility, improved search function reliability. See information on SCEditor-related theme updates.
6 security vulnerabilities addressed:
- High risk: Theme import stylesheet name RCE — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
- High risk: Nested video MyCode persistent XSS — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
- Medium risk: Find Orphaned Attachments reflected XSS — reported by Simon Scannell of RIPS Technologies
- Medium risk: Post edit reflected XSS — reported by adm1nkyj of ENKI
- Medium risk: Private Messaging folders SQL injection — reported by Alex of DiscoveryGC
- Low risk: Potential phar deserialization through Upload Path — reported by Simon Scannell of RIPS Technologies
- 39 issues resolved
Check Release Notes for a list of changes to language files, templates and unresolved issues.
The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.