Headline
CVE-2021-45035: Velneo vClient Improper authentication
Velneo vClient on its 28.1.3 version, does not correctly check the certificate of authenticity by default. This could allow an attacker that has access to the network to perform a MITM attack in order to obtain the user´s credentials.
Description:
INCIBE has coordinated the publication of a vulnerability in Velneo vClient, which has been discovered by Jesús Ródenas Huerta 'Marmeus’.
CVE-2021-45035 has been assigned to this vulnerability. A CVSS v3.1 base score of 6,3 has been calculated; the CVSS vector string is AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N.
Solution:
This vulnerability has been fixed by Velneo team in the 29.2 version, released on 29/06/2021.
Detail:
Velneo vClient on its 28.1.3 version, does not correctly check the certificate of authenticity by default. This could allow an attacker that has access to the network to perform a MITM attack in order to obtain the user´s credentials.
CWE-287: Improper Authentication.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication.