CVE-2025-14349 - Vulnerability Details - OpenCVE

Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Universal Software Inc.	Flexcity/kiosk

No data.

No data.

References

Link	Providers
https://www.spirityenterprise.com/pentest
https://www.spirityenterprise.com/virtual-ciso
https://www.usom.gov.tr/bildirim/tr-26-0065

History

Fri, 13 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Universal Software Inc. Universal Software Inc. flexcity/kiosk
Vendors & Products		Universal Software Inc. Universal Software Inc. flexcity/kiosk

Fri, 13 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
Title		Business Logic Error in Universal Software's FlexCity/Kiosk
Weaknesses		CWE-267 CWE-306
References		https://www.usom.gov.tr/bildirim/tr-26-0065
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published: 2026-02-13T13:09:43.901Z

Updated: 2026-02-13T17:01:01.873Z

Reserved: 2025-12-09T15:35:48.265Z

Link: CVE-2025-14349

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-02-13T14:16:09.210

Modified: 2026-02-13T14:23:48.007

Link: CVE-2025-14349

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14349", "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "state": "PUBLISHED", "assignerShortName": "TR-CERT", "dateReserved": "2025-12-09T15:35:48.265Z", "datePublished": "2026-02-13T13:09:43.901Z", "dateUpdated": "2026-02-13T17:01:01.873Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "FlexCity/Kiosk", "vendor": "Universal Software Inc.", "versions": [{"lessThan": "1.0.36", "status": "affected", "version": "1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "\u0130brahim Y\u0130\u011e\u0130TSOY"}], "datePublic": "2026-02-13T11:57:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.<p>This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.</p>"}], "value": "Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}, {"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-267", "description": "CWE-267 Privilege Defined With Unsafe Actions", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "shortName": "TR-CERT", "dateUpdated": "2026-02-13T13:11:36.130Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.usom.gov.tr/bildirim/tr-26-0065"}], "source": {"advisory": "TR-26-0065", "defect": ["TR-26-0065"], "discovery": "UNKNOWN"}, "title": "Business Logic Error in Universal Software's FlexCity/Kiosk", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T17:00:51.316203Z", "id": "CVE-2025-14349", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T17:01:01.873Z"}}]}}