CVE-2024-38289
published 2024-07-25CVE-2024-38289: A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.87%
98.5th percentile
A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to extract hashed passwords from the database, and authenticate to the application, via crafted SQL input.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rhubcom | turbomeeting | <= 8.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandmeeting_id=1'/**/OR/**/1=1/**/UNION/**/select/**/password/**/from/**/employee/**/where/**/email='admin'/**/AND/**/substr(password,2,1)='b'/**
commandmeeting_id=1'/**/OR/**/1=2/**/UNION/**/select/**/password/**/from/**/employee/**/where/**/email='admin'/**/AND/**/substr(password,2,1)='b'/**
- →The vulnerable endpoint is the Virtual Meeting Password (VMP) endpoint at POST /as/wapi/vmp. Monitor for SQL injection patterns in the `meeting_id` POST parameter, particularly comment-obfuscated payloads using /**/ separators and UNION SELECT statements targeting the `employee` table.
- →Boolean-based blind SQLi detection: a TRUE condition returns 'SUCCEED' in the response body, while a FALSE condition returns 'FAILED'. Differential response analysis on these two strings can confirm exploitation.
- →Shodan fingerprint for exposed TurboMeeting instances: search for html:"TurboMeeting" to identify internet-facing targets.
- →The attack is unauthenticated and targets the `employee` table to extract hashed passwords (column `password`) by email address (e.g., 'admin'). No session or authentication token is required.
- →Content-Type of the malicious POST request is application/x-www-form-urlencoded. WAF/IDS rules should inspect this content type on the /as/wapi/vmp path for SQL keywords.
- ·The vulnerability affects R-HUB TurboMeeting through version 8.x. The EPSS score is extremely high (0.84253, 99.3rd percentile), indicating active or likely exploitation in the wild. ↗
- ·The SQL injection payload uses comment-based whitespace obfuscation (/**/) to bypass naive keyword-space detection. Detection rules must account for this obfuscation pattern.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
TurboMeeting - Boolean-based SQL Injection
nuclei·CVSS 9.8
CVE-2024-38289 [CRITICAL] TurboMeeting - Boolean-based SQL Injection
TurboMeeting - Boolean-based SQL Injection
A Boolean-based SQL injection vulnerability in the "RHUB TurboMeeting" web application. This vulnerability could allow an attacker to execute arbitrary SQL commands on the database server, potentially allowing them to access sensitive data or compromise the server.
Template:
id: CVE-2024-38289
info:
name: TurboMeeting - Boolean-based SQL Injection
author: rootxharsh,iamnoooob,pdresearch
severity: critical
description: |
A Boolean-based SQL injection vulnerability in the "RHUB TurboMeeting" web application. This vulnerability could allow an attacker to execute arbitrary SQL commands on the database server, potentially allowing them to access sensitive data or compromise the server.
impact: |
Unauthenticated attackers can execute arbitrary SQL c
2024-07-25
Published
Exploited in the wild