FHN 
MyBB released security updates for multiple vulnerabilities including SQL injection, XSS attacks, bypassing issues.
Security Vulnerability
MyBB is the free and open source forum software powering thousands of engaging, vibrant, and unique communities across the internet, released security updates addressing multiple security vulnerabilities.
However, Below are the vulnerabilities with CRITICAL severity:
Cross-site Scripting (XSS) — CVE-2021-27889
Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.
Description
The parsing of messages containing URLs within values of MyCode (BBCode) tags may cause unexpected nesting and output malformed HTML that may be exploited, resulting in an XSS vulnerability.
However, The vulnerability can be exploited with minimal user interaction by saving a maliciously crafted MyCode message on the server (e.g. as a post or Private Message) and pointing a victim to a page where the content is parsed.
Based on the advisories released — below may reduce the impact:
- Disable MyCode for individual forums, Private Messages, user profile signatures, and calendars, or
- And, Guest users are not allowed to submit messages where MyCode is supported, or posting access is otherwise limited or controlled.
Patches
MyBB 1.8.26 resolves this issue with the following changes:
https://github.com/mybb/mybb/commit/86894e1e6837f7687ecf6d9e572a626fc2d5d4fc.patch
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Theme Properties SQL Injection — CVE-2021-27890
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
Description
Certain theme properties included in theme XML files are not escaped properly when included in SQL queries, leading to an SQL injection vulnerability.
However, the vulnerability may be exploited when:
- a forum administrator with the Can manage themes? permission imports a maliciously crafted theme,
- also, a forum administrator uses the Export Theme or Duplicate Theme features in the Admin Control Panel, or, a user, for whom the theme has been set, visits a forum page.
Based on the advisories released — below may reduce the impact:
- no themes from untrusted sources are imported,
- also, the Admin CP’s Can manage themes? limited permissions to trusted administrators
Patches
MyBB 1.8.26 resolves this issue with the following changes:
https://github.com/mybb/mybb/commit/561e1c76d85ed92931440730c0e78b63359b27a4.patch
Vulnerable Platforms
Importantly, Below are the vulenrable MyBB Versions:
- All Versions Prior To 1.8.26
Also, multiple MyBB versions were prone to exploitation by attackers for the below list of latest CVE’s:
- CVE-2021-3350
- CVE-2021-3337
- CVE-2021-28115
- CVE-2021-27949
- CVE-2021-27948
- CVE-2021-27947
- CVE-2021-27946
- CVE-2021-27279
Security Recommendations
In short, highly recommended to update the latest patches released or reach at security@mybb.com
About the Author
I’m not that much of a online reader to be honest but your sites really nice, keep it up! I’ll go ahead and bookmark your site to come back in the future. Many thanks