MyBB 1.8.11
23 April 2017
MyBB version 1.8.11 is now available (security release).
Upgrading to MyBB 1.8.11
MyBB 1.8.11 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MyBB updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MyBB install to test the 1.8.11 upgrade prior to applying it live. Get started managing your MyBB installations with Installatron
What's New in MyBB 1.8.11
This release fixes 3 security vulnerabilities and 32 reported issues causing incorrect functionality of MyBB.
Security
- High risk: XSS Injection in Email MyCode – reported by Zhiyang Zeng of Tencent security platform department
- Medium risk: SSRF protection can be bypassed – reported by Orange Tsai of DEVCORE and Jasveer Singh of SEC Consult Vulnerability Lab
- Low risk: Directory Traversal in smilie module – reported by Zhiyang Zeng of Tencent security platform department
Bugs fixed
- Bug: mybbuser cookie is set without httponly when changing password
- Enhancement: Mod CP - missing plugin hooks
- Bug: Issues with Admin Logging and email pruning
- Bug: orphaned variable
- Enhancement: Add new hook in User CP's Change Avatar section
- Bug: Update LiveLeak embed code for HTTPS
- Enhancement: Add Referrer-Policy header on ACP pages
- Bug: Invalid download link in ACP version check
- Enhancement: Missing Plugin Hooks in the ACP
- Bug: Wrong link to announcements in ModCP announcement list
- Enhancement: New hook in moderation.php to work with moved posts
- Bug: Notification email not sent after activation
- Enhancement: Rewrite create_password_hash() usage to accept array of password parameters
- Bug: PHP 7.1 Illegal string offset warning when editing user profile with custom select fields
- Bug: Stats page refreshing issue
- Enhancement: Error notice (div.error) styling doesn't match to 1.8 design.
- Bug: MyCode same regular expression issue
- Bug: Blocked user's soft deleted message issue
- Bug: Group promotions bug
- Bug: Twitch Videos Start Automatically
- Bug: Almost all numeric values greater 9 are set to 9 in "Show All Settings"
- Bug: Theme selector leaves GET data in the URL
- Bug: GO button in portal search not inline
- Bug: last post info is not updating properly
- Bug: When viewing own profile via `uid=0`, the username isn't shown
- Bug: Todays birthdays issue with deleted user or purged spammer
- Bug: Editing of announcements in ModCP doesn't work
- Bug: Only one child theme moved up the tree when deleting themes
- Bug: Reply button with usernames containing quotes
- Bug: Find orphaned attachments shows success when failed
- Bug: User ratings not merging when account is merged