Home / Early Warning / Security Advisories / Velneo vClient improper authentication

Velneo vClient improper authentication

Publication date: 
11/23/2022
Identificador: 
INCIBE-2022-1017
Importance: 
4 - Alta
Affected resources: 

Velneo vClient, version 28.1.3.

Description: 

INCIBE has coordinated the publication of a vulnerability in Velneo vClient, which has been discovered by Jesús Ródenas Huerta, ‘Marmeus’.

CVE-2021-45036 has been assigned to this vulnerability. A CVSS v3.1 base score of 8,7  has been calculated; the CVSS vector string is AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N.

Solution: 

This vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.

Detail: 

Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.

CWE-836: use of password hash instead of password for authentication.

If you have any information regarding this advisory, please contact INCIBE as indicated in the 'CVE assignment and publication'.

Encuesta valoración