CVE-2024-38288 PoC — RHUB TurboMeeting 安全漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-38288.yaml

Associated Vulnerability

Title:RHUB TurboMeeting 安全漏洞 (CVE-2024-38288)
Description:RHUB TurboMeeting是RHUB公司的一种协作解决方案。提供网络会议、远程支持、音频会议、视频会议、远程访问和网络研讨会支持。 RHUB TurboMeeting 8.X之前版本存在安全漏洞，该漏洞源于证书签名请求功能中存在命令注入漏洞，从而允许具有管理员权限的攻击者以root身份在底层服务器上执行任意命令。

Description

The Certificate Signing Request (CSR) feature in the admin portal of the application is vulnerable to command injection. This vulnerability could allow authenticated admin users to execute arbitrary commands on the underlying server by injecting malicious input into the CSR generation process. The application failed to properly sanitize user-supplied input before using it in a command executed privileges.

File Snapshot


 id: CVE-2024-38288

info:
  name: TurboMeeting - Post-Authentication Command Injection
  author: roo

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!