cbcvebase.
CVE-2024-38289
published 2024-07-25

CVE-2024-38289: A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.87%
98.5th percentile
A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to extract hashed passwords from the database, and authenticate to the application, via crafted SQL input.

Affected

1 ranges
VendorProductVersion rangeFixed in
rhubcomturbomeeting<= 8.0

Detection & IOCsextracted from sources · hover to see the quote

url/as/wapi/vmp
commandmeeting_id=1'/**/OR/**/1=1/**/UNION/**/select/**/password/**/from/**/employee/**/where/**/email='admin'/**/AND/**/substr(password,2,1)='b'/**
commandmeeting_id=1'/**/OR/**/1=2/**/UNION/**/select/**/password/**/from/**/employee/**/where/**/email='admin'/**/AND/**/substr(password,2,1)='b'/**
  • The vulnerable endpoint is the Virtual Meeting Password (VMP) endpoint at POST /as/wapi/vmp. Monitor for SQL injection patterns in the `meeting_id` POST parameter, particularly comment-obfuscated payloads using /**/ separators and UNION SELECT statements targeting the `employee` table.
  • Boolean-based blind SQLi detection: a TRUE condition returns 'SUCCEED' in the response body, while a FALSE condition returns 'FAILED'. Differential response analysis on these two strings can confirm exploitation.
  • Shodan fingerprint for exposed TurboMeeting instances: search for html:"TurboMeeting" to identify internet-facing targets.
  • The attack is unauthenticated and targets the `employee` table to extract hashed passwords (column `password`) by email address (e.g., 'admin'). No session or authentication token is required.
  • Content-Type of the malicious POST request is application/x-www-form-urlencoded. WAF/IDS rules should inspect this content type on the /as/wapi/vmp path for SQL keywords.
  • ·The vulnerability affects R-HUB TurboMeeting through version 8.x. The EPSS score is extremely high (0.84253, 99.3rd percentile), indicating active or likely exploitation in the wild.
  • ·The SQL injection payload uses comment-based whitespace obfuscation (/**/) to bypass naive keyword-space detection. Detection rules must account for this obfuscation pattern.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.