Resolved Security Issues

Here you will find documented security issues addressed in past MyBB releases. Please note that the list may not include details of vulnerabilities in legacy branches. View Security Research to learn more or report security-related problems.

Version Addressed Severity Description, References, Classification Reported By

1.8.24

9 August 2020

High MyCode message formatting XSS in visual editor [1]

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-15139

Murphy

1.8.23

17 July 2020

Medium Anti-CSRF token disclosure in online status location [1]

CWE-200 CVSS:3.1/PR:N

Mipher

1.8.22

30 December 2019

High Installer RCE on settings file write

CWE-94 CVSS:3.1/PR:N

yelang123 (Stealien)
Medium Arbitrary upload paths & Local File Inclusion RCE

CWE-94 CVSS:3.1/PR:H

CNCERT
Medium XSS via insufficient HTML sanitization of Blog feed & Extend data

CWE-79 CVSS:3.1/PR:H

Devilshakerz (MyBB Team)
Low Open redirect on login

CWE-601 CVSS:3.1/PR:N

Jyoti Raval (Qualys)
Low SCEditor reflected XSS

CWE-79 CVSS:3.1/PR:N

Cillian Collins, bl4ckh4ck5

1.8.21

10 June 2019

High Theme import stylesheet name RCE [1]

CWE-94 CVSS:3.1/PR:H

Simon Scannell and Robin Peraglie (RIPS Technologies)
High Nested video MyCode persistent XSS [1]

CWE-79 CVSS:3.1/PR:N

Simon Scannell and Robin Peraglie (RIPS Technologies)
Medium Find Orphaned Attachments reflected XSS

CWE-79 CVSS:3.1/PR:H

Simon Scannell (RIPS Technologies)
Medium Post edit reflected XSS

CWE-79 CVSS:3.1/PR:L

adm1nkyj (ENKI)
Medium Private Messaging folders SQL injection

CWE-89 CVSS:3.1/PR:L

Alex (DiscoveryGC)
Low Potential phar deserialization through Upload Path

CWE-502 CVSS:3.1/PR:H

Simon Scannell (RIPS Technologies)

1.8.20

27 February 2019

Medium Reset Password reflected XSS

CWE-79 CVSS:3.1/PR:N

Medium ModCP Profile Editor username reflected XSS

CWE-79 CVSS:3.1/PR:L

Jovan Zivanovic (MaTRIS Research Group, SBA Research)
Low Predictable CSRF token for guest users

CWE-352 CVSS:3.1/PR:N

Devilshakerz (MyBB Team)
Low ACP Stylesheet Properties XSS

CWE-79 CVSS:3.1/PR:H

Cillian Collins
Low Reset Password username enumeration via email

CWE-200 CVSS:3.1/PR:N

Abdullah Md. Shaleh

1.8.19

11 September 2018

High Email field SQL Injection

CWE-89 CVSS:3.1/PR:N

StefanT
Medium Video MyCode Persistent XSS in Visual Editor

CWE-79 CVSS:3.1/PR:N

Numan OZDEMIR (InfinitumIT)
Low Insufficient permission check in User CP's attachment management

CWE-284 CVSS:3.1/PR:L

StefanT
Low Insufficient email address verification

CWE-345 CVSS:3.1/PR:L

StefanT

1.8.18

22 August 2018

High Image MyCode "alt" attribute persistent XSS

Punisher_HF
Medium RSS Atom 1.0 item title persistent XSS

CWE-79 CVSS:3.1/PR:N

0xB9

1.8.16

4 July 2018

High Image & URL MyCode Persistent XSS

CWE-79 CVSS:3.1/PR:N

Punisher_HF
Medium Multipage Reflected XSS

CWE-79 CVSS:3.1/PR:N

Dimaz Arno (Ethic Ninja)
Low ACP logs XSS

CWE-79 CVSS:3.1/PR:H

Cillian Collins
Low Arbitrary file deletion via ACP's Settings

CWE-22 CVSS:3.1/PR:H

Devilshakerz (MyBB Team)
Low Login CSRF

CWE-352 CVSS:3.1/PR:N

Cillian Collins
Low Non-video content embedding via Video MyCode

CWE-20 CVSS:3.1/PR:N

Punisher_HF

1.8.15

15 March 2018

Medium Tasks Local File Inclusion

CWE-98 CVSS:3.1/PR:H

Riley Baird
Medium Forum Password Check Bypass

CWE-284 CVSS:3.1/PR:N

Riley Baird
Low Admin Permissions Group Title XSS

CWE-79 CVSS:3.1/PR:H

Nathaniel Suchy
Low Attachment types file extension XSS

CWE-79 CVSS:3.1/PR:H

Nathaniel Suchy
Low Moderator Tools XSS

CWE-79 CVSS:3.1/PR:L

Nathaniel Suchy
Low Security Questions XSS

CWE-79 CVSS:3.1/PR:H

doylecc
Low Settings Management XSS

CWE-79 CVSS:3.1/PR:H

Nathaniel Suchy
Low Templates Set Name XSS

CWE-79 CVSS:3.1/PR:H

Nathaniel Suchy
Low Usergroup Promotions XSS

CWE-79 CVSS:3.1/PR:H

Nathaniel Suchy
Low Warning Types XSS

CWE-79 CVSS:3.1/PR:H

Nathaniel Suchy

1.8.14

28 November 2017

High Language file headers RCE

CWE-94 CVSS:3.1/PR:H

Julian Rittweger
Low Language Pack Properties XSS

CWE-79 CVSS:3.1/PR:H

Julian Rittweger

1.8.13

7 November 2017

High Installer RCE on configuration file write

CWE-94 CVSS:3.1/PR:N

pabstersac
High Language file headers RCE

CWE-94 CVSS:3.1/PR:H

Julian Rittweger
Medium Installer XSS

CWE-79 CVSS:3.1/PR:N

pabstersac
Medium Mod CP Edit Profile XSS

CWE-79 CVSS:3.1/PR:L

Julian Rittweger
Low Insufficient moderator permission check in delayed moderation tools

CWE-284 CVSS:3.1/PR:L

Starpaul20 (MyBB Team)
Low Announcements HTML filter bypass

CWE-79 CVSS:3.1/PR:L

Low Language Pack Properties XSS

CWE-79 CVSS:3.1/PR:H

Julian Rittweger

1.8.12

22 May 2017

Medium Insufficient permission check in multiquote feature

CWE-284 CVSS:3.1/PR:N

frostschutz
Medium CSV macro injection on PM export

CWE-20 CVSS:3.1/PR:L

Rico A. Silvallana
Low Weak password reset codes & false positives

CWE-334 CVSS:3.1/PR:N

Devilshakerz (MyBB Team)

1.8.11

4 April 2017

High XSS Injection in Email MyCode

CWE-79 CVSS:3.1/PR:N

Zhiyang Zeng (Tencent security platform department)
Medium SSRF protection can be bypassed

CWE-918 CVSS:3.1/PR:L

Orange Tsai (DEVCORE), Jasveer Singh (SEC Consult Vulnerability Lab)
Low Directory Traversal in smilie module

CWE-22 CVSS:3.1/PR:H

Zhiyang Zeng (Tencent security platform department)

1.8.9

21 December 2016

Low CSRF issue when removing subscriptions

CWE-352 CVSS:3.1/PR:L

Devilshakerz (MyBB Team)

1.8.8

17 October 2016

Medium Style import CSS overwrite on Windows servers

CWE-22 CVSS:3.1/PR:H

patryk
Medium SQL Injection in the users data handler

CWE-89 CVSS:3.1/PR:L

afinepl
Medium SSRF attack in fetch_remote_file()

dawid_golunski
Medium Possible short name access to ACP backups on Windows servers

CWE-22 CVSS:3.1/PR:N

kevinoclam
Low Stored XSS in the ACP

CWE-79 CVSS:3.1/PR:H

patryk
Low Loose comparison false positives

CWE-697 CVSS:3.1/PR:N

Devilshakerz (MyBB Team)
Low Possible XSS injection in ACP users module

CWE-79 CVSS:3.1/PR:H

afinepl

1.8.7

11 March 2016

Medium Possible SQL Injection in moderation tool

CWE-89 CVSS:3.1/PR:L

jamslater
Low Missing permission check in newreply.php

CWE-284 CVSS:3.1/PR:N

StefanT (MyBB Team)
Low Possible XSS Injection on login

CWE-79 CVSS:3.1/PR:N

Devilshakerz (MyBB Team)
Low Possible XSS Injection in member validation

CWE-79 CVSS:3.1/PR:N

Tim Coen
Low Possible XSS Injection in User CP

CWE-79 CVSS:3.1/PR:L

Tim Coen
Low Possible XSS Injection in Mod CP logs

CWE-79 CVSS:3.1/PR:L

Starpaul20 (MyBB Team)
Low Possible XSS Injection when editing users in Mod CP

CWE-79 CVSS:3.1/PR:L

Tim Coen
Low Possible XSS Injection when pruning logs in ACP

CWE-79 CVSS:3.1/PR:H

Devilshakerz (MyBB Team)
Low Possibility of retrieving database details through templates

CWE-200 CVSS:3.1/PR:H

Tim Coen
Low Disclosure of ACP path when sending mails from ACP

CWE-200 CVSS:3.1/PR:N

sarisisop
Low Low adminsid & sid entropy

CWE-334 CVSS:3.1/PR:N

Devilshakerz (MyBB Team)
Low Clickjacking in ACP

CWE-1021 CVSS:3.1/PR:N

DingjieYang
Low Missing directory listing protection in upload directories

CWE-548 CVSS:3.1/PR:N

Tim Coen

1.8.6

7 September 2015

Medium Forum password bypass in xmlhttp.php

CWE-284 CVSS:3.1/PR:N

Devilshakerz (MyBB Team)
Low SQL Injection in Grouppromotions module (ACP)

Devilshakerz (MyBB Team)
Low Possible XSS Injection in the error handler

CWE-79 CVSS:3.1/PR:N

FooBar123
Low Possible XSS issues in old upgrade files

CWE-79 CVSS:3.1/PR:N

FooBar123
Low Possible Full Path Disclosure in publicly accessible error log files

CWE-200 CVSS:3.1/PR:N

Devilshakerz (MyBB Team)

1.6.18

7 September 2015

Medium Forum password bypass in xmlhttp.php

Low SQL Injection in Grouppromotions module (ACP)

Low Possible XSS Injection in the error handler

Low Possible XSS issues in old upgrade files

1.8.5

27 May 2015

Medium Reset password code check could be circumvented in member.php

CWE-287 CVSS:3.1/PR:N

solati.sadegh
Medium Sender email could be spoofed when sending an email to a user in member.php

CWE-345 CVSS:3.1/PR:L

onlinedevelopers
Medium Permissions not checked for post search with old sid in search.php

CWE-284 CVSS:3.1/PR:N

pedder55655
Medium XSS in quick edit function of xmlhttp.php

CWE-79 CVSS:3.1/PR:N

TiberiusG
Low CSRF in ACP mass mail cancellation

CWE-352 CVSS:3.1/PR:H

Destroy666 (MyBB Team)
Low Use of the U+200E Unicode character to create “duplicate” username

mahdy2021

1.6.17

27 May 2015

Medium Reset password code check could be circumvented in member.php

Medium Permissions not checked for post search with old sid in search.php

Low CSRF in ACP mass mail cancellation

Low Use of the U+200E Unicode character to create "duplicate" username

Low Multiple XSS vulnerability requiring admin permissions

Low A CSRF vulnerability within ACP login

Low Cache handler using var_export without encoding checks

1.8.4

15 February 2015

Medium A XSS vulnerability in member.php

CWE-79 CVSS:3.1/PR:N

ATofighi (MyBB Team)
Medium A XSS vulnerability in MyCode editor

CWE-79 CVSS:3.1/PR:N

Matthias Ungethüm
Low Multiple XSS vulnerability requiring admin permissions

CWE-79 CVSS:3.1/PR:H

adamziaja, Devilshakerz, DingjieYang, sroesemann
Low A CSRF vulnerability within ACP login

CWE-352 CVSS:3.1/PR:N

Devilshakerz
Low Group join request notifications sent to wrong group leaders

CWE-200 CVSS:3.1/PR:L

Snake_
Low Cache handler using var_export without encoding checks

CWE-172 CVSS:3.1/PR:N

chtg
No A full path disclosure vulnerability within JSON library

CWE-200 CVSS:3.1/PR:N

Nathan Malcolm

1.8.3

20 November 2014

High A SQL injection vulnerability in theme selection

CWE-89 CVSS:3.1/PR:N

StefanT (MyBB Team)
Medium A XSS vulnerability in calendar.php

CWE-79 CVSS:3.1/PR:L

-Acid
Medium A XSS vulnerability in MyCode editor

CWE-79 CVSS:3.1/PR:N

My-BB.Ir
Low A XSS vulnerability related to post icons

CWE-79 CVSS:3.1/PR:H

Destroy666 (MyBB Team)
Low unserialize may call PHP magic methods

CWE-502 CVSS:3.1/PR:N

chtg
Low PHP setting request_order can break register globals handling

CWE-473 CVSS:3.1/PR:N

chtg

1.6.16

20 November 2014

Low A XSS vulnerability related to post icons

Destroy666 (MyBB Team)
Low A XSS vulnerability in admin/modules/style/templates.php

Low A XSS vulnerability in admin/modules/config/languages.php

Low unserialize may call PHP magic methods

chtg
Low PHP setting request_order can break register globals handling

chtg

1.8.2

13 November 2014

High A SQL injection vulnerability in member.php

CWE-89 CVSS:3.1/PR:N

Medium A XSS vulnerability in report.php

CWE-79 CVSS:3.1/PR:L

Medium A XSS vulnerability in inc/class_parser.php

CWE-79 CVSS:3.1/PR:N

Low A XSS vulnerability in admin/modules/style/templates.php

CWE-79 CVSS:3.1/PR:H

Low A XSS vulnerability in admin/modules/config/languages.php

CWE-79 CVSS:3.1/PR:H

1.6.15

4 August 2014

Medium A XSS vulnerability in video MyCode

1.6.14

30 June 2014

Medium Possibility of executing PHP code through settings

GiantCrocodile
Low A XSS vulnerability in polls.php

AntiPaste
Low A XSS vulnerability in portal.php

AntiPaste
Low Password protected forums can be viewed from the portal

Nathan Malcolm
Low Super moderators have more permissions than expected

JordanMussi (MyBB Team)

1.6.13

26 April 2014

Medium Possibility of executing PHP code through stylesheets

Medium Possibility of executing PHP code through language files

Low A XSS vulnerability in search system

Low Potential weak random string generator

1.6.12

30 December 2013

Medium A SQL vulnerability when editing smilies in ACP

ChALkeR
Medium A SQL vulnerability when deleting posts with Akismet in ACP

ChALkeR
Medium A XSS vulnerability in video MyCode

ChALkeR
Low A XSS vulnerability in smilie popup

Spenzert