CVE-2025-52026
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-02-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aptsys | gemscms_backend | to 2025-05-28 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an information disclosure issue in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform. The endpoint is unauthenticated and returns a list of cashier accounts including sensitive information such as names, email addresses, usernames, and passwords hashed with MD5. Since MD5 is a weak cryptographic function, the password hashes can be easily reversed using public tools, exposing the plaintext passwords to attackers.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to obtain plaintext credentials of cashier accounts by reversing the weak MD5 password hashes. This allows unauthorized logins, potentially giving attackers access to sensitive point-of-sale operations or backend functions, which could lead to data theft, fraud, or further compromise of the system.