CVE-2025-52024

Critical CVSS: 9.4

A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries.

Vendor

Aptsys

Product

Gemscms Backend

CWE

CWE-306

Yayın Tarihi

2026-01-23 21:15:50

Güncelleme

2026-02-11 19:23:51

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-306 Gemscms Backend CRITICAL Aptsys 2026

Referanslar

http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39

Benzer Kayıtlar

Medium

CVE-2025-52023

A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to t…

Critical

CVE-2025-52025

An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint of the Aptsys gemscms POS Platform backen…

High

CVE-2025-52026

An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend…

Medium

CVE-2025-52022

A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers…