MyTube Mass Assignment Vulnerability in Settings Management
Vulnerability
A mass assignment vulnerability has been identified in MyTube, a self-hosted video downloader and player, in versions through 1.7.78. The issue arises in the settings management feature, where the saveSettings() function allows arbitrary key-value pairs to be saved without proper validation against a whitelist of allowed settings. This lack of input validation enables attackers to inject unauthorized configuration entries into the database, potentially overwriting legitimate settings or altering application behavior.
Impact
Exploitation of this vulnerability allows for the injection of arbitrary properties into the application's settings database, with the potential to overwrite legitimate settings or introduce malicious values that could change how the application functions.
Reproduction
To reproduce this vulnerability, send a POST request to the application's settings API endpoint with arbitrary property names that are not validated against the application's whitelist of allowed settings. The injected properties will be saved to the database without any validation.
Remediation
Users are advised to update to MyTube version 1.7.79, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.