Daniel-Grunbergerca

**Name of the Vulnerable Software and Affected Versions** MyTube versions prior to 1.8.69 **Description** MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.8.69, an authorization bypass exists in the `/api/settings/import-database` API endpoint. This bypass allows attackers with low-privilege credentials to upload and replace the application's SQLite database, resulting in a full compromise of the application. The bypass is also relevant for other POST routes. **Recommendations** Versions prior to 1.8.69 should be updated to version 1.8.69 or later.

**Name of the Vulnerable Software and Affected Versions** MyTube versions prior to 1.8.71 **Description** MyTube is a self-hosted downloader and player for several video websites. Before version 1.8.71, an unauthenticated attacker could register an arbitrary passkey and subsequently authenticate with it to obtain a full administrator session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. The vulnerable endpoints are the passkey registration endpoints. The `passkey` is the vulnerable parameter. **Recommendations** Versions prior to 1.8.71 should be updated to version 1.8.71 or later.

**Name of the Vulnerable Software and Affected Versions** MyTube versions prior to 1.8.72 **Description** MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three publicly accessible password verification **API Endpoints** that share a single file-backed login attempt state stored in `login-attempts.json`. Each endpoint uses the `recordFailedAttempt()` function to update a shared `failedAttempts` counter and associated timestamps. The `canAttemptLogin()` function checks this shared state to determine if a cooldown period is active before validating a password. Because the counter and cooldown timer are globally shared, failed attempts against any endpoint affect all others. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, progressively increasing the lockout duration up to 24 hours. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely. **Recommendations** Versions prior to 1.8.72 should be updated to version 1.8.72 or later.