CVE-2025-52024
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-02-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aptsys | gemscms_backend | to 2025-05-28 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-425 | The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Aptsys POS Platform Web Services module allows unauthenticated users to access internal API testing tools. By visiting certain URLs, an attacker can see a directory listing of backend services and POS web services, each with an HTML form to submit test inputs. These tools, meant for developers, are exposed in production without any authentication or session checks, enabling attackers to discover, test, and execute critical API endpoints.
How can this vulnerability impact me? :
The vulnerability allows any external attacker to access and execute critical backend API functions such as user transaction retrieval, credit adjustments, POS actions, and internal data queries without authentication. This can lead to unauthorized data access, manipulation of transactions, and potentially fraudulent activities impacting business operations and customer data integrity.