CVE-2024-38289

CRITICAL EXPLOITED NUCLEI

R-HUB TurboMeeting <8.x - SQL Injection

Title source: llm

Description

A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to extract hashed passwords from the database, and authenticate to the application, via crafted SQL input.

Nuclei Templates (1)

TurboMeeting - Boolean-based SQL Injection

CRITICALVERIFIEDby rootxharsh,iamnoooob,pdresearch

Shodan: html:"TurboMeeting"

References (2)

[Exploit, Third Party Advisory] https://github.com/google/security-research/security/advisories/GHSA-vx5j-8pgx-v42v

[Product] https://www.rhubcom.com/v5/manuals.html

Scores

CVSS v3 9.8

EPSS 0.8425

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-09-14

CWE

CWE-89

Status published

Products (1)

rhubcom/turbomeeting < 8.0

Published Jul 25, 2024

Tracked Since Feb 18, 2026