Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Over 100 Vulnerabilities Patched in MyBB in Past 5 Years

The developers of the free and open-source forum software MyBB have shared some data on the vulnerabilities patched in their product over the past years.

The developers of the free and open-source forum software MyBB have shared some data on the vulnerabilities patched in their product over the past years.

According to MyBB developers, 103 vulnerabilities have been patched in the 1.8.x branch since its release in 2014. Nearly three quarters of these flaws were reported through MyBB’s security program and 19 percent were discovered internally. The vulnerabilities were patched across 19 security releases.

In total, the developers revealed, more than 270 vulnerabilities were found and patched in MyBB since the release of version 1.0 in 2005.

A total of 50 people discovered vulnerabilities in MyBB 1.8, and 40% of them reported two or more valid issues. Vulnerabilities found in MyBB can be reported through the organization’s Private Inquiries forum, which has been used to submit most reports, and email.

As for the types of security holes found in MyBB 1.8, developers said the most common was cross-site scripting (XSS), with 49 cases of persistent, reflected and DOM-based XSS. The second most common types of vulnerabilities were improper access control and SQL injection, with 7 cases each.

Other types of flaws included code injection, information exposure, cross-site request forgery (CSRF), path traversal, improper input validation, small space of random values, and server-side request forgery (SSRF).

In terms of risk, only a dozen vulnerabilities were classified as high risk; 33 were rated medium risk and 58 low risk.

According to MyBB, 49 flaws could be exploited by low-privileged users, 22 required moderator or user permissions, and 32 required admin permissions for successful exploitation.

Advertisement. Scroll to continue reading.

MyBB vulnerabilities

“A rundown of recently remediated weaknesses suggest that MyBB forums with a common configuration, running on version 1.8.20 or older, can be breached with minimal interaction of unsuspecting forum administrators, through the exploitation of an XSS & Code Injection weakness,” MyBB developers explained.

“Moreover, boards running 1.8.18 or older may be damaged with no interaction whatsoever by attackers escalating permissions of their own accounts to the administrator user group, as a result of an especially fatal SQL Injection vulnerability within the sign-up process. These points of peak exposure underline the importance of keeping live MyBB forums easy to update (e.g. by avoiding core file modifications, in favor of plugin hooks) and performing actual upgrades as soon as they’re released,” they added.

MyBB believes that changes made in the upcoming 1.9 version and general security improvements in web browsers will lead to fewer vulnerabilities in the future.

Related: MyBB Says Hacker Didn’t Access User Data, Source Code

Related: SQL Injection Vulnerability Patched in IP.Board Forum Software

Related: Comodo Forums Hacked via Recently Disclosed vBulletin Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.