Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.
This vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.