CVE-2025-14317

In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions required to obtain the data. This issue was fixed in version 915 (Android) and 7.4.1 (iOS).

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/posts/2026/01/CVE-2025-14317
https://crazybubble.pl/aplikacja-crazy-bubble/

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) En la aplicación móvil Crazy Bubble Tea, un atacante autenticado puede obtener información personal sobre otros usuarios al enumerar un parámetro 'loyaltyGuestId'. El servidor no verifica los permisos necesarios para obtener los datos. Este problema se solucionó en la versión 915 (Android) y 7.4.1 (iOS).

14 Jan 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-14 14:16

Updated : 2026-04-15 00:35

NVD link : CVE-2025-14317

Mitre link : CVE-2025-14317

CVE.ORG link : CVE-2025-14317

JSON object : View

Products Affected

No product.

CWE

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

{"id": "CVE-2025-14317", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-14T14:16:11.543", "references": [{"url": "https://cert.pl/posts/2026/01/CVE-2025-14317", "source": "cvd@cert.pl"}, {"url": "https://crazybubble.pl/aplikacja-crazy-bubble/", "source": "cvd@cert.pl"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-359"}]}], "descriptions": [{"lang": "en", "value": "In Crazy Bubble Tea mobile application authenticated attacker can\u00a0obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server\u00a0does not verify the permissions required to obtain the data.\n\n\nThis issue was fixed in version\u00a0915 (Android) and 7.4.1 (iOS)."}, {"lang": "es", "value": "En la aplicaci\u00f3n m\u00f3vil Crazy Bubble Tea, un atacante autenticado puede obtener informaci\u00f3n personal sobre otros usuarios al enumerar un par\u00e1metro 'loyaltyGuestId'. El servidor no verifica los permisos necesarios para obtener los datos.\n\nEste problema se solucion\u00f3 en la versi\u00f3n 915 (Android) y 7.4.1 (iOS)."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cvd@cert.pl"}