MyBB 1.8.32 Released — Security & Maintenance Release

MyBB 1.8.32 is now available, and is a security & maintenance release.

This version addresses reported security problems and updates SCEditor to the latest version.

  • 3 security vulnerabilities addressed:

    • High risk: Visual editor persistent XSS (advisory) — reported by Aleksey Solovev (Positive Technologies)
    • Medium risk: ACP Users SQL injection (advisory) — reported by Aleksey Solovev (Positive Technologies)
    • Low risk: Attachment upload XSS (advisory) — reported by Aleksey Solovev (Positive Technologies)
  • 1 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.31 Released — Security & Maintenance Release

MyBB 1.8.31 is now available, and is a security & maintenance release.

This version resolves discovered bugs and regressions, and improves compatibility with database engines and recent PHP versions.

Please note that the value of Additional Parameters for PHP’s mail() (Mail Settings) now only takes effect when saved in the Configuration File.

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.30 Released — Security Release

MyBB 1.8.30 is now available, and is a security release.

  • 1 security vulnerability addressed:

    • High risk: ACP Settings management RCE (advisory) — reported by Cillian Collins / Trend Micro Zero Day Initiative

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.29 Released — Security Release

MyBB 1.8.29 is now available, and is a security release.

  • 1 security vulnerability addressed:

    • High risk: ACP Settings management RCE (advisory) — reported by Xiangwen (Evan) Yu

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.28 Released — Security & Maintenance Release

MyBB 1.8.28 is now available, and is a security & maintenance release.

This version resolves discovered bugs and regressions, and addresses known PHP 8 compatibility problems.

This version enables validation of HTML code generated by the MyCode parser — check the Documentation page and previous announcement for more details.

  • 1 security vulnerability addressed:

    • Medium risk: ACP Template Name XSS (advisory) — reported by Andrey Stoykov
  • 28 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.26 Released — Security Release

MyBB 1.8.26 is now available, and is a security release.

  • 6 security vulnerabilities addressed:

    • High risk: Nested Auto URL persistent XSS (advisory) — reported by Simon Scannell & Carl Smith
    • Medium risk: Theme properties SQL injection (advisory) — reported by Simon Scannell & Carl Smith
    • Medium risk: Poll vote count SQL injection (advisory) — reported by Devilshakerz (MyBB Team)
    • Medium risk: Forum Management SQL injection (advisory) — reported by Devilshakerz (MyBB Team)
    • Medium risk: Usergroups SQL injection (advisory) — reported by Devilshakerz (MyBB Team)
    • Low risk: Custom moderator tools reflected XSS (advisory) — reported by Devilshakerz (MyBB Team)

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.25 Released — Security Release

MyBB 1.8.25 is now available, and is a security release.

  • 1 security vulnerability addressed:

    • High risk: Nested Email MyCode Persistent XSS (advisory) — reported by Igor Sak-Sakovskiy

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.24 Released — Security Release

MyBB 1.8.24 is now available, and is a security release.

After running the upgrade, make sure to update the version attribute in the codebuttons template for non-default themes.

  • 1 security vulnerability addressed:

    • High risk: MyCode message formatting XSS in visual editor (advisory) — reported by Murphy

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB 1.8.23 Released — Security & Maintenance Release

MyBB 1.8.23 is now available, and is a security & maintenance release.

This release includes added support for hCaptcha, reCAPTCHA v3, APCu, Redis, improvements related to ACP’s Thread Prefixes management, UTF-8 search, performance, and updates jQuery to 3.5.1.

Themes: content of global.css stylesheet may need updating (#3977).

Extension developers: always use verify_post_check() for my_post_key token verification (#4022); positions of some hooks were changed (#3648); the banned datacache was removed (#3878).

  • 1 security vulnerability addressed:

    • Medium risk: Anti-CSRF token disclosure in online status location — reported by Mipher
  • 101 issues resolved

Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

A Close Look at 100+ Patched Vulnerabilities

With the release of MyBB 1.8.22, over one hundred vulnerabilities have been addressed in the 1.8 branch. In this post we look into what the numbers can tell us so far, and how the trends are expected to change in the future.

Since the announcement of the first stable package in 2005, over 270 security flaws were fixed in the 87 versions starting with MyBB 1.0 (some of which overlapped when two supported branches received security updates simultaneously), making 88% of all releases related to security fixes. Additional information tracked within the 1.8.x branch surfaces the most common means of reporting, types, and practical impact of 103 vulnerabilities that have been addressed five years in.

Continue reading