CVE-2016-6538

moderate-risk
Published 2018-07-06

The TrackR Bravo mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file. Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address the vulnerabilities in CVE-2016-6538, CVE-2016-6539, CVE-2016-6540 and CVE-2016-6541.

Do I need to act?

-
0.23% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
ADJACENT_NETWORK / LOW complexity

Affected Products (2)

Trackr Bravo Firmware
Trackr Bravo Firmware

Affected Vendors

Thetrackr

References (8)

Third Party Advisory http://www.securityfocus.com/bid/93874
Exploit https://blog.rapid7.com/2016/10/25/multiple-bluetooth-low-energy-ble-tracker-vul...
Third Party Advisory https://www.kb.cert.org/vuls/id/617567
Third Party Advisory https://www.kb.cert.org/vuls/id/TNOY-AF3KCZ
Third Party Advisory http://www.securityfocus.com/bid/93874
Exploit https://blog.rapid7.com/2016/10/25/multiple-bluetooth-low-energy-ble-tracker-vul...
Third Party Advisory https://www.kb.cert.org/vuls/id/617567
Third Party Advisory https://www.kb.cert.org/vuls/id/TNOY-AF3KCZ
35
/ 100
moderate-risk
Severity 27/34 · High
Exploitability 1/34 · Minimal
Exposure 7/34 · Low