Category Archives: Releases

MyBB 1.8.40 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.40 is now available, and is a security & maintenance release.

This version includes stability fixes, adds controls for post icon features, and removes the discontinued Google Hangouts profile fields.

Please note that the Configuration File’s default Disallowed Remote Addresses list has changed and needs to be manually replaced/updated when upgrading.

Please note that the global.css file requires a manual insertion of two additional CSS lines.

  • 18 security vulnerabilities addressed:

    • High risk: Buddy/ignore list username XSS (advisory) — reported by Maxim Gofnung (Mallory.ai), Shuang Liao (Fudan University)
    • High risk: Profile field type confusion XSS (advisory) — reported by valent1
    • High risk: Installer database configuration RCE (advisory) — reported by Devilshakerz (MyBB Team)
    • Medium risk: Contact page reflected XSS (advisory) — reported by Shuang Liao (Fudan University)
    • Medium risk: ACP UTF-8 Conversion CSRF (advisory) — reported by Devilshakerz (MyBB Team)
    • Medium risk: Insufficient authorization for private calendar events (advisory) — reported by HuajiHD
    • Medium risk: Insufficient permission check for calendar select (advisory) — reported by HuajiHD
    • Medium risk: Buddy list corruption (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: Insufficient permission check for calendar event move (advisory) — reported by HuajiHD
    • Low risk: Mod CP report resolution missing authorization (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: IPv6 SSRF (advisory) — reported by Assaf Alassaf
    • Low risk: Email User CRLF injection (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: ACP Recovery Codes CSRF (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: ACP Questions state CSRF (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: ACP Users View Manager default CSRF (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: ACP Mass Mail draft resend CSRF (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: Default CAPTCHA missing invalidation (advisory) — reported by Himanshu Anand
    • Low risk: Security Question insufficient validation (advisory) — reported by Devilshakerz (MyBB Team)
  • 31 issues resolved

Notable contributions:

  • Buddy/ignore list management technical reflected XSS weakness report — by Shuang Liao of Fudan University
  • Contact page open redirect weakness report — by Himanshu Anand

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.39 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.39 is now available, and is a security & maintenance release.

  • 2 security vulnerabilities addressed:

    • Medium risk: Upgrade local file inclusion (advisory) — reported by Cillian Collins
    • Low risk: Unviewable threads title disclosure in search (advisory) — reported by Huseyn (Khatai) Gadashov (Exploit Azerbaijan)
  • 37 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.38 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.38 is now available, and is a security & maintenance release.

Administrators of installed boards should update the existing configuration (inc/config.php) to include all addresses blocked by default in Disallowed Remote Addresses.

  • 2 security vulnerabilities addressed:

    • Low risk: Incomplete disallowed remote addresses list SSRF (advisory) — reported by shin24
    • Low risk: Backups directory .htaccess deletion (advisory) — reported by shin24
  • 16 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.37 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.37 is now available, and is a security & maintenance release.

This version includes improvements for compatibility with mailing configurations and recent PHP versions.

  • 2 security vulnerabilities addressed:

    • Medium risk: Visual editor size code persistent XSS (advisory) — reported by Paulos Yibelo (Octagon Networks)
    • Low risk: ACP Themes persistent XSS (advisory) — reported by Or4nG.M4n
  • 12 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.36 Released — Security Release

Posted on by

MyBB 1.8.36 is now available, and is a security release.

After applying the patch, we recommend using the Admin CP’s Tools & Maintenance → System Health → Check Templates tool to scan for security issues that may not have been detected before this version.

  • 1 security vulnerability addressed:

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.35 Released — Maintenance Release

Posted on by

MyBB 1.8.35 is now available, and is a maintenance release.

This version improves stability and compatibility with various PHP versions.

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.34 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.34 is now available, and is a security & maintenance release.

  • 1 security vulnerability addressed:

    • Low risk: User CP email persistent XSS (advisory) — reported by Ahmet Altuntaş
  • 13 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

To keep up with Project news, you can now follow MyBB on Mastodon.

Thanks,
MyBB Team

MyBB 1.8.33 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.33 is now available, and is a security & maintenance release.

This version improves cache system stability, and compatibility with PostgreSQL (PDO) and recent PHP versions.

  • 1 security vulnerability addressed:

    • High risk: ACP Languages local file inclusion (advisory) — reported by yelang123 (Stealien), NGA (Stealien)
  • 8 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.32 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.32 is now available, and is a security & maintenance release.

This version addresses reported security problems and updates SCEditor to the latest version.

  • 3 security vulnerabilities addressed:

    • High risk: Visual editor persistent XSS (advisory) — reported by Aleksey Solovev (Positive Technologies)
    • Medium risk: ACP Users SQL injection (advisory) — reported by Aleksey Solovev (Positive Technologies)
    • Low risk: Attachment upload XSS (advisory) — reported by Aleksey Solovev (Positive Technologies)
  • 1 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.31 Released — Security & Maintenance Release

Posted on by

MyBB 1.8.31 is now available, and is a security & maintenance release.

This version resolves discovered bugs and regressions, and improves compatibility with database engines and recent PHP versions.

Please note that the value of Additional Parameters for PHP’s mail() (Mail Settings) now only takes effect when saved in the Configuration File.

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team