MyBB 1.8.21
11 June 2019
MyBB version 1.8.21 is now available (security release).
Upgrading to MyBB 1.8.21
MyBB 1.8.21 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MyBB updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MyBB install to test the 1.8.21 upgrade prior to applying it live. Get started managing your MyBB installations with Installatron
What's New in MyBB 1.8.21
This is a security and maintenance release for MyBB.
Security
- HIGH RISK: Theme import stylesheet name RCE. Reported by Simon Scannell and Robin Peraglie RIPS Technologies.
- HIGH RISK: Nested video MyCode persistent XSS. Reported by Simon Scannell and Robin Peraglie RIPS Technologies.
- MEDIUM RISK: Find Orphaned Attachments reflected XSS. Reported by Simon Scannell RIPS Technologies.
- MEDIUM RISK: Post edit reflected XSS. Reported by adm1nkyj ENKI.
- MEDIUM RISK: Private Messaging folders SQL injection. Reported by Alex DiscoveryGC.
- LOW RISK: Potential phar deserialization through Upload Path. Reported by Simon Scannell RIPS Technologies.
Bug Fixes
- #3696 header_welcomeblock_member_buddy template is not cached
- #3693 email insert doesn't work in source mode
- #3691 Quote disappears in source mode
- #3681 RSS Syndication : Bugs & Improvements
- #3680 New hook on recount_rebuild
- #3679 Language: use horizontal ellipsis instead of three dots or two dots
- #3678 Unique check for per_page on recount_rebuild
- #3676 SQL Error When Viewing Unread PMs
- #3666 PM search - incorrect folder
- #3663 Moved thread link name not changing properly
- #3657 Missing CSS-class in referral modal
- #3656 SQL Error on Post Update With Removed Attachment
- #3651 Recount & Rebuild JS redirect is broken
- #3647 Incompatible arguments of DB_Base::modify_column() and DB_Base::rename_column() implementations
- #3640 Upgrade jQuery to latest (3.3.1) & related js updates
- #3636 JS error - modal template in headerinclude
- #3634 Empty folders - message count of unread instead of inbox
- #3627 Admin Edit User - Missing external URL
- #3625 PHP 7 compatibility - functions_calendar.php
- #3614 Posting Limits and Post Moderation
- #3613 Clear select2
- #3611 Change Usergroup & Hidden Theme Interfering
- #3610 BugDoc - Please fix documentation for Attachment Type
- #3609 Fulltext Search and Stopwords
- #3608 Inconsistent error message
- #3604 class_stopforumspamchecker.php uses old API call url
- #3601 AdminCP "Report Reasons" not updating cache on `disporder` change
- #3598 1.8.20 - unread PMs - pagination
- #3596 separator on index page
- #3593 Actions on ACP's Awaiting Activation page with no users selected result in PHP Warning
- #3591 1.8.20 sceditor font-size change bug
- #3590 Empty index operator used on $errors string in Mod CP results in Fatal error with PHP 7.1
- #3588 1.8.20 Editor Center issue
- #3587 Templates Not Cached at Startup (`global_modqueue` & `global_modqueue_notice`)
- #3575 Parser auto link breaks `ftp://` protocol URLs
- #3520 Invisible Recaptcha - PW Reset Error
- #3383 unable to add images to register questions
- #2754 $sourcemode causes page to scroll to editor textarea when set to true via usercp.
- #2542 Update SCEditor