CVE-2025-14349 - Vulnerability Details

Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation. This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Uni-yaz	Flexcity
Universal Software Inc.	Flexcity/kiosk

Configuration 1 [-]

cpe:2.3:a:uni-yaz:flexcity:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0065
https://www.usom.gov.tr/bildirim/tr-26-0065

History

Thu, 04 Jun 2026 07:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 04 Jun 2026 07:15:00 +0000

Type	Values Removed	Values Added
Description	Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.	Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation. This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
References		https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0065

Mon, 02 Mar 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Uni-yaz Uni-yaz flexcity
CPEs		cpe:2.3:a:uni-yaz:flexcity::::::::
Vendors & Products		Uni-yaz Uni-yaz flexcity

Fri, 13 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Universal Software Inc. Universal Software Inc. flexcity/kiosk
Vendors & Products		Universal Software Inc. Universal Software Inc. flexcity/kiosk

Fri, 13 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
Title		Business Logic Error in Universal Software's FlexCity/Kiosk
Weaknesses		CWE-267 CWE-306
References		https://www.usom.gov.tr/bildirim/tr-26-0065
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published: 2026-02-13T13:09:43.901Z

Updated: 2026-06-04T06:21:43.095Z

Reserved: 2025-12-09T15:35:48.265Z

Link: CVE-2025-14349

Vulnrichment

Updated: 2026-02-13T17:00:57.760Z

NVD

Status : Modified

Published: 2026-02-13T14:16:09.210

Modified: 2026-06-04T07:16:26.243

Link: CVE-2025-14349

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object