0Xc0Ffeee

#10337of 53,625
26.8Total CVSS
Vulnerabilities · 3
High
1
Critical
2
PT-2024-27925
9.8
2024-07-25
R Hub · R-Hub Turbomeeting · CVE-2024-38287
**Name of the Vulnerable Software and Affected Versions** R-HUB TurboMeeting versions through 8.x **Description** The password-reset mechanism in the Forgot Password functionality allows unauthenticated remote attackers to force the application into resetting the administrator's password to a random insecure 8-digit value. **Recommendations** For R-HUB TurboMeeting versions through 8.x, consider temporarily disabling the Forgot Password functionality until a patch is available to prevent unauthorized password resets. Restrict access to the administrator account to minimize the risk of exploitation. Avoid using the Forgot Password feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2024-27926
7.2
2024-07-25
R Hub · R-Hub Turbomeeting · CVE-2024-38288
**Name of the Vulnerable Software and Affected Versions** R-HUB TurboMeeting versions prior to 9.x **Description** A command-injection issue in the Certificate Signing Request (CSR) functionality allows authenticated attackers with administrator privileges to execute arbitrary commands on the underlying server as root. **Recommendations** For R-HUB TurboMeeting versions prior to 9.x, update to version 9.x or later to resolve the issue. As a temporary workaround, consider restricting access to the CSR functionality to minimize the risk of exploitation.
PT-2024-27927
9.8
2024-07-25
R Hub · R-Hub Turbomeeting · CVE-2024-38289
**Name of the Vulnerable Software and Affected Versions** R-HUB TurboMeeting versions through 8.x **Description** A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint allows unauthenticated remote attackers to extract hashed passwords from the database and authenticate to the application via crafted SQL input. **Recommendations** For R-HUB TurboMeeting versions through 8.x, consider restricting access to the Virtual Meeting Password endpoint until a patch is available. As a temporary workaround, avoid using crafted SQL input in the VMP endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.