MyBB 1.8.21 is now available, and is a security & maintenance release.
This version includes updated jQuery and SCeditor, JSON Syndication format, improved PostgreSQL support, improved PHP >= 7.1 compatibility, improved search function reliability. See information on SCEditor-related theme updates.
-
6 security vulnerabilities addressed:
- High risk: Theme import stylesheet name RCE — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
- High risk: Nested video MyCode persistent XSS — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
- Medium risk: Find Orphaned Attachments reflected XSS — reported by Simon Scannell of RIPS Technologies
- Medium risk: Post edit reflected XSS — reported by adm1nkyj of ENKI
- Medium risk: Private Messaging folders SQL injection — reported by Alex of DiscoveryGC
- Low risk: Potential phar deserialization through Upload Path — reported by Simon Scannell of RIPS Technologies
- 39 issues resolved
Check Release Notes for a list of changes to language files, templates and unresolved issues.
Get latest MyBB Full & Upgrade Packages →
The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.
Thanks,
MyBB Team
MyBB Blog 