CVE-2016-6538

HIGH

TrackR Bravo Firmware < 2.2.5 (Android) and < 5.1.6 (iOS) - Cleartext Password Exposure in cache.db

Title source: llm
STIX 2.1

Description

The TrackR Bravo mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file. Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address the vulnerabilities in CVE-2016-6538, CVE-2016-6539, CVE-2016-6540 and CVE-2016-6541.

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/93874
Third Party Advisory, US Government Resource x_refsource_misc
https://www.kb.cert.org/vuls/id/TNOY-AF3KCZ
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/617567

Scores

CVSS v3 8.8
EPSS 0.0106
EPSS Percentile 60.3%
Attack Vector ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-200 CWE-255 CWE-313
Status published
Products (2)
thetrackr/trackr_bravo_firmware < 2.2.5
thetrackr/trackr_bravo_firmware < 5.1.6
Published Jul 06, 2018
Tracked Since Feb 18, 2026