MyBB 1.8.22 Released — Security & Maintenance Release

vbgamer45

Adherent
Joined
Sep 22, 2005
Messages
291
MyBB 1.8.22 is now available, and is a security & maintenance release.

Note: this version removes the discontinued Yahoo profile field, which may have been customized for other purposes.

  • 5 security vulnerabilities addressed:
    • High risk: Installer RCE on settings file write — reported by yelang123 of Stealien
    • Medium risk: Arbitrary upload paths & Local File Inclusion RCE — reported by CNCERT
    • Medium risk: XSS via insufficient HTML sanitization of Blog feed & Extend data — reported by Devilshakerz of MyBB Team
    • Low risk: Open redirect on login — reported by Jyoti Raval
    • Low risk: SCEditor reflected XSS — reported by Cillian Collins, bl4ckh4ck5
  • 36 issues resolved
Check Release Notes for a list of changes to language files, templates and unresolved issues.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,

https://blog.mybb.com/2019/12/30/mybb-1-8-22-released-security-maintenance-release/
 

macfanpl

Enthusiast
Joined
Jun 5, 2019
Messages
119
Medium risk: XSS
and
Low risk: SCEditor reflected XSS
, but
High risk: Installer RCE
These are the reasons why there is so much hate towards MyBB. If they treat XSS as medium and low risk, but assign high risk to RCE, than anyone that treats internet security seriously, would avoid them no matter what
 

mysiteguy

Migration Expert
Joined
Feb 20, 2007
Messages
3,209
Businesses with remote work are also impacted in their unique ways by COVID-19.

My own business, requests from existing and potential clients went up dramatically. Some need help ramping up server capacity due to increased traffic. Others, such as one in the pharmaceutical business, had their team spend extra time the past few weeks with a project posting information for pharmacies looking for help assisting employees, rapid increases in orders which can hurt cash flow, etc. Another, their field is "prepper" in nature, and in the midst of a large project we already had underway, COVID-19 became an issue.

It's put all of us here on our toes trying to keep up. Last week at one point I put in nearly a 24-hour marathon work shift to assist a client in dire need. As of yesterday, after weeks of this, the emergency & high priority work finally leveled off and the workload is becoming normal. That could change quickly; be it another work spike, or seeing business rapidly decline when the economics of this situation starts catching up with people.

I can't judge anyone's workload (or lack of) during these times. I've had to push out schedules for clients, and likewise, some of the vendors I've depend upon for goods and services are a little bit slower than normal. Pretty much everyone I know professionally (and personally as well), is stressed out one way or another - I recommend giving people the benefit of the doubt. :)
 
Top