MyBB 1.8.40 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.40 is now available, and is a security & maintenance release.

This version includes stability fixes, adds controls for post icon features, and removes the discontinued Google Hangouts profile fields.

Please note that the Configuration File’s default Disallowed Remote Addresses list has changed and needs to be manually replaced/updated when upgrading.

Please note that the global.css file requires a manual insertion of two additional CSS lines.

  • 18 security vulnerabilities addressed:

    • High risk: Buddy/ignore list username XSS (advisory) — reported by Maxim Gofnung (Mallory.ai), Shuang Liao (Fudan University)
    • High risk: Profile field type confusion XSS (advisory) — reported by valent1
    • High risk: Installer database configuration RCE (advisory) — reported by Devilshakerz (MyBB Team)
    • Medium risk: Contact page reflected XSS (advisory) — reported by Shuang Liao (Fudan University)
    • Medium risk: ACP UTF-8 Conversion CSRF (advisory) — reported by Devilshakerz (MyBB Team)
    • Medium risk: Insufficient authorization for private calendar events (advisory) — reported by HuajiHD
    • Medium risk: Insufficient permission check for calendar select (advisory) — reported by HuajiHD
    • Medium risk: Buddy list corruption (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: Insufficient permission check for calendar event move (advisory) — reported by HuajiHD
    • Low risk: Mod CP report resolution missing authorization (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: IPv6 SSRF (advisory) — reported by Assaf Alassaf
    • Low risk: Email User CRLF injection (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: ACP Recovery Codes CSRF (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: ACP Questions state CSRF (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: ACP Users View Manager default CSRF (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: ACP Mass Mail draft resend CSRF (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: Default CAPTCHA missing invalidation (advisory) — reported by Himanshu Anand
    • Low risk: Security Question insufficient validation (advisory) — reported by Devilshakerz (MyBB Team)
  • 31 issues resolved

Notable contributions:

  • Buddy/ignore list management technical reflected XSS weakness report — by Shuang Liao of Fudan University
  • Contact page open redirect weakness report — by Himanshu Anand

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team