MyBB 1.8.22 is now available, and is a security & maintenance release.
Note: this version removes the discontinued Yahoo profile field, which may have been customized for other purposes.
5 security vulnerabilities addressed:
- High risk: Installer RCE on settings file write — reported by yelang123 of Stealien
- Medium risk: Arbitrary upload paths & Local File Inclusion RCE — reported by CNCERT
- Medium risk: XSS via insufficient HTML sanitization of Blog feed & Extend data — reported by Devilshakerz of MyBB Team
- Low risk: Open redirect on login — reported by Jyoti Raval of Qualys
- Low risk: SCEditor reflected XSS — reported by Cillian Collins, bl4ckh4ck5
- 36 issues resolved
Check Release Notes for a list of changes to language files, templates and unresolved issues.
The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.