P1Ngul1N0

**Name of the Vulnerable Software and Affected Versions** MyTube versions 1.7.78 and below **Description** The MyTube application does not properly protect against authorization bypass, potentially allowing guest users to download the complete application database. The application does not validate user permissions correctly on the database export endpoint, which allows low-privileged users to access sensitive data they are not authorized to view. **Recommendations** Update MyTube to a version higher than 1.7.78.

**Name of the Vulnerable Software and Affected Versions** MyTube versions prior to 1.7.78 **Description** MyTube is a self-hosted downloader and player for video websites. Versions 1.7.78 and earlier are subject to a Mass Assignment issue in the settings management functionality because of inadequate input validation. The `saveSettings()` function accepts arbitrary key-value pairs without validating property names against allowed settings. The function utilizes `Record<string, any>` as the input type and iterates through all entries using `Object.entries()` without filtering unauthorized properties. Any field sent by an attacker is directly saved to the database, irrespective of whether it represents a legitimate application setting. **Recommendations** Update to version 1.7.78 or later.

**Name of the Vulnerable Software and Affected Versions** MyTube versions prior to 1.7.66 **Description** MyTube is a self-hosted downloader and player for several video websites. A flaw allows unauthenticated users to bypass the authentication check in the `roleBasedAuthMiddleware`. By not providing an authentication cookie, a request is incorrectly passed to downstream handlers. All users running MyTube with `loginEnabled: true` are impacted. This allows an attacker to access and modify application settings via the `/api/settings` endpoint, change administrative and visitor passwords, and access other protected routes that rely on this middleware. The issue is related to a default to `next()` in the `roleBasedAuthMiddleware` when `req.user` is undefined. **Recommendations** Upgrade to MyTube version 1.7.66 or later. As a temporary workaround, restrict network access to the `/api/` endpoints to trusted IP addresses using a firewall or reverse proxy. If comfortable editing the source code, manually patch the `roleBasedAuthMiddleware` to ensure it returns a 401 Unauthorized error when `req.user` is undefined, instead of calling `next()`.

**Name of the Vulnerable Software and Affected Versions** MyTube versions prior to 1.7.71 **Description** MyTube is a self-hosted downloader and player for several video websites. A rate limiting bypass exists due to `X-Forwarded-For` header spoofing, allowing unauthenticated attackers to circumvent IP-based rate limiting on general API endpoints. Attackers can manipulate the `X-Forwarded-For` header to spoof client IPs, enabling unlimited requests to protected endpoints, including general API endpoints, potentially leading to a denial-of-service (DoS) condition. The vulnerable API endpoints are susceptible to abuse through the manipulation of the `X-Forwarded-For` header. **Recommendations** Update MyTube to version 1.7.71 or later.