CVE-2025-52024

CRITICAL

Aptsys Gemscms Backend < 2025-05-28 - Missing Authorization

Title source: rule

Description

A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries.

References (2)

[Product] http://aptsys.com

[Third Party Advisory] https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39

Scores

CVSS v3 9.4

EPSS 0.0005

EPSS Percentile 15.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-306 CWE-425 CWE-862

Status published

Products (1)

aptsys/gemscms_backend < 2025-05-28

Published Jan 23, 2026

Tracked Since Feb 18, 2026