CVE-2024-38289

CRITICAL EXPLOITED NUCLEI

R-HUB TurboMeeting <8.x - SQL Injection

Title source: llm

Exploitation Summary

CVE-2024-38289 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to extract hashed passwords from the database, and authenticate to the application, via crafted SQL input.

Nuclei Templates (1)

TurboMeeting - Boolean-based SQL Injection

CRITICALVERIFIEDby rootxharsh,iamnoooob,pdresearch

Shodan: html:"TurboMeeting"

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/google/security-research/security/advisories/GHSA-vx5j-8pgx-v42v

Product

https://www.rhubcom.com/v5/manuals.html

Scores

CVSS v3 9.8

EPSS 0.4087

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2024-09-14

CWE

CWE-89

Status published

Products (1)

rhubcom/turbomeeting < 8.0

Published Jul 25, 2024

Tracked Since Feb 18, 2026