Gemscms Backend
CVE-2025-52024
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries.
AnalysisAI
Aptsys POS Platform Web Services module exposes internal API testing endpoints to the public, allowing unauthenticated access to point-of-sale backend systems.
Technical ContextAI
The Aptsys POS Platform has internal API testing endpoints exposed without authentication (CWE-306), providing direct access to POS backend functionality including payment processing and order management.
RemediationAI
Disable testing endpoints in production. Implement authentication on all API endpoints. Conduct PCI DSS compliance review.
More in Gemscms Backend
View allAptsys gemscms POS Platform has a SQL injection in the GetServiceByRestaurantID endpoint allowing extraction of restaura
An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend
A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to t
A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today