28 matches found
EUVD-2016-7463
Malware in sbrugna...
EUVD-2016-7465
Malware in sbrugna...
EUVD-2016-7464
Malware in sbrugna...
Code injection
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext...
Authentication flaw
getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device...
Code injection
A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device...
Design/Logic Flaw
The iTrack device tracking ID number, also called "LosserID" in the web API, can be obtained by being in the range of an iTrack device. The tracker ID is the device's BLE MAC address...
CVE-2016-6543
A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device...
CVE-2016-6542
The iTrack device tracking ID number, also called "LosserID" in the web API, can be obtained by being in the range of an iTrack device. The tracker ID is the device's BLE MAC address...
CVE-2016-6546
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext...
CVE-2016-6544
getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device...
Design/Logic Flaw
Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the associated password...
CVE-2016-6544 iTrack Easy's getgps data can be modified without authentication
getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device...
CVE-2016-6545 iTrack Easy does not use session cookies to maintain sessions and POSTs the users password over HTTPS for each request
Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the associated password...
CVE-2016-6545
CVE-2016-6545 relates to iTrack Easy where session cookies are not used to maintain valid sessions and the user password is sent as a base64-encoded POST parameter on every request. The underlying issue is insufficient session expiration/management, requiring a password change to terminate sessio...
CVE-2016-6542
The CVE-2016-6542 entry concerns the iTrack Easy device, where the BLE MAC address (the tracker ID) can be obtained by being within range of the device. The issue is described as an information exposure vulnerability: an unauthenticated party could learn the device’s BLE MAC address, enabling pot...
CVE-2016-6542 The MAC address/device tracking ID of an iTrack Easy can be obtained within range of the device
The iTrack device tracking ID number, also called "LosserID" in the web API, can be obtained by being in the range of an iTrack device. The tracker ID is the device's BLE MAC address...
CVE-2016-6546 iTrack Easy mobile application stores the user password in base-64 encoding/cleartext
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext...
CVE-2016-6543 A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data
A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device...
CVE-2016-6544
CVE-2016-6544 affects iTrack Easy and concerns a missing authentication for a critical function: the getgps data can be modified by setting the parameter cmd:setothergps, enabling an unauthenticated attacker to alter GPS data of a lost device. The connected documents confirm the root cause is lac...