2019-07-20, 04:08 PM
2019-07-20, 04:20 PM
Definitely dangerous and penetrating
MyBB 1.8.21 Released — Security & Maintenance Release
MyBB 1.8.21 Released — Security & Maintenance Release
- High risk: Theme import stylesheet name RCE — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
- High risk: Nested video MyCode persistent XSS — reported by Simon Scannell and Robin Peraglie of RIPS Technologies
- Medium risk: Find Orphaned Attachments reflected XSS — reported by Simon Scannell of RIPS Technologies
- Medium risk: Post edit reflected XSS — reported by adm1nkyj of ENKI
- Medium risk: Private Messaging folders SQL injection — reported by Alex of DiscoveryGC
- Low risk: Potential phar deserialization through Upload Path — reported by Simon Scannell of RIPS Technologies
- Medium risk: Reset Password reflected XSS
- Medium risk: ModCP Profile Editor username reflected XSS — reported by Jovan Zivanovic of MaTRIS Research Group, SBA Research
- Low risk: Predictable CSRF token for guest users — reported by Devilshakerz of MyBB Team
- Low risk: ACP Stylesheet Properties XSS — reported by Cillian Collins
- Low risk: Reset Password username enumeration via email — reported by Abdullah Md. Shaleh
- High risk: Email field SQL Injection — reported by StefanT
- Medium risk: Video MyCode Persistent XSS in Visual Editor — reported by Numan OZDEMIR of InfinitumIT
- Low risk: Insufficient permission check in User CP’s attachment management — reported by StefanT
- Low risk: Insufficient email address verification — reported by StefanT
2019-07-21, 11:16 AM
The only version we'd ever recommend running is the most recent.