9.4
CVE-2025-52024
- EPSS 0.05%
- Veröffentlicht 23.01.2026 00:00:00
- Zuletzt bearbeitet 11.02.2026 19:23:51
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginA vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Aptsys ≫ Gemscms Backend Version <= 2025-05-28
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.149 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.4 | 3.9 | 5.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-425 Direct Request ('Forced Browsing')
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.