CVE-2024-38289

A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote...

Basic Information

CVE State: PUBLISHED
Reserved Date: June 13, 2024
Published Date: July 25, 2024
Last Updated: August 02, 2024
Vendor: n/a
Product: n/a
Description: A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to extract hashed passwords from the database, and authenticate to the application, via crafted SQL input.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score: 86.19% (Percentile: 99.34%) as of 2025-06-12

SSVC Information

Exploitation: poc
Technical Impact: partial

Exploit Status

Exploited in the Wild: Yes (2025-05-15 00:00:00 UTC) Source

References

https://www.rhubcom.com/v5/manuals.html https://github.com/google/security-research/security/advisories/GHSA-vx5j-8pgx-v42v

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-05-15 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-38289.yaml	2025-04-26 00:00:00 UTC

Timeline

CVE ID Reserved

June 13, 2024
CVE Published to Public

July 25, 2024
Detected by Nuclei

April 26, 2025
Added to KEVIntel

May 15, 2025