CVE-2021-45036
HIGHVelneo vClient 28.1.3 - Authentication Bypass by Spoofing via Hashed Password
Title source: llmDescription
Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.
References (7)
Core 7
Core References
Vendor Advisory
https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver
Vendor Advisory
https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps
Release Notes, Vendor Advisory
https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena
Release Notes, Vendor Advisory
https://velneo.es/mivelneo/listado-de-cambios-velneo-32/
Release Notes, Vendor Advisory
https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32
Scores
CVSS v3
8.7
EPSS
0.0070
EPSS Percentile
48.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-290
CWE-287
Status
published
Products (1)
velneo/vclient
28.1.3
Published
Nov 28, 2022
Tracked Since
Feb 18, 2026