The latest release of MyBB, a software forum, addresses 38 functionality bugs and four security vulnerabilities.
The new release, MyBB 1.6.13 which is available for download, takes care of vulnerabilities including an issue that could end up leveraged to execute PHP code through stylesheets, and a flaw that could execute PHP code through language files. These medium-risk security holes ended up reported by TonyS and Pirata Nervo.
The other two vulnerabilities are a cross-site scripting (XSS) in the search system, and a potentially weak random string generator. These issues fall in the low risk category.
The XSS flaw is CVE-2014-1840, which enables a remote attacker to inject arbitrary code via the keywords parameter in a “do_search” action. The random string generator issue ended up reported by 1Ilusion.
Despite the fact that 38 functionality bugs ended up fixed, the GitHub page of MyBB shows there are others that remain unfixed, including issues confirmed by the developer.
Users who have updated their installations prior to April 27, should download the package once again and replace the “admin/modules/style/themes.php.” This operation is necessary because of a “minor issue” with the original packages.
Additional details on the changes in the latest release are available on the MyBB website.