ReverseThatApp/aptsys-gemscms-gemsloyalty-2025-multi-cve-advisory.txt

## aptsys-gemscms-gemsloyalty-2025-multi-cve-advisory.txt
Public Advisory: CVE-2025-52022, 52023, 52024, 52025, 52026 — Combined Public Advisory for Aptsys gemscms & gemsloyalty Vulnerabilities
Reporter: Independent Security Researcher
Date: November 2025
Note: Sensitive details redacted to protect unpatched systems.

=====================================================================
CVE-2025-52026 — Unauthenticated Data Exposure in Aptsys gemscms Backend
=====================================================================

Vendor: Aptsys (http://aptsys.com.sg/)
Product: gemscms backend (POS platform)
Impact: Exposure of staff account details (emails, usernames, MD5 hashes)
Type: Unauthenticated Information Disclosure
Status: Vendor has not acknowledged; remains unpatched.

Summary:
A publicly accessible API endpoint in the Aptsys gemscms backend returns staff/cashier account data including email addresses, usernames, and MD5-hashed passwords. MD5 hashes are reversible, allowing attackers to recover plaintext passwords and impersonate users.

Description:
During normal use of an Aptsys-powered mobile application in May 2025, an unauthenticated API call was found to expose staff account details. No authentication is required, and the endpoint is accessible in production deployments across multiple customers.

Attack Vector:
Remote attacker sends HTTP GET/POST request to a public API path. No authentication or token is needed.

Impact:
- Disclosure of sensitive staff account data
- Plaintext password recovery through MD5 cracking
- Unauthorized POS or backend access

Timeline:
- Discovered: May 2025
- Vendor notified repeatedly: May–Nov 2025
- CVE reserved: July 2025
- Public disclosure: November 2025

Mitigations:
Enforce authentication, remove password hashes from API responses, replace MD5 with modern password hashing (Argon2/bcrypt).

=====================================================================
CVE-2025-52025 — SQL Injection Vulnerability in Aptsys gemscms Backend
=====================================================================

Vendor: Aptsys
Product: gemscms backend (POS platform)
Impact: Unauthorized SQL execution; data leakage or modification
Type: SQL Injection
Status: Unpatched; vendor did not respond.

Summary:
A backend API that processes a restaurant identifier parameter concatenates user input directly into SQL queries without sanitization or parameterization, allowing remote unauthenticated attackers to inject arbitrary SQL.

Description:
Discovered during normal use of an Aptsys client application in May 2025. Malicious SQL payloads can be injected through a POST parameter, enabling database manipulation.

Impact:
- Extraction of sensitive customer/business data
- Modification or deletion of records
- Potential full database compromise

Timeline:
- Discovered: May 2025
- Vendor notified: May–Nov 2025
- CVE reserved: July 2025
- Public disclosure: November 2025

Mitigations:
Implement prepared statements, sanitize user input, restrict endpoint access, deploy WAF rules.

=====================================================================
CVE-2025-52024 — Exposed Developer Web Services Panel in Aptsys gemscms Backend
=====================================================================

Vendor: Aptsys
Product: gemscms POS Platform (backend)
Impact: Unauthorized access to internal developer panels and backend functions
Type: Security Misconfiguration / Unauthenticated Access
Status: Unpatched; vendor silent.

Summary:
Production deployments of the Aptsys POS Web Services module expose developer/QA testing panels to the public internet. These interfaces list dozens of internal backend endpoints and allow direct execution of POS and business-logic operations without authentication.

Description:
Panels accessible via predictable URL paths provide HTML forms for live execution of backend APIs such as credit adjustments, order management, and user account operations.

Impact:
- Full discovery of internal APIs
- Execution of sensitive backend operations
- Possible IDOR, SSRF, or business logic abuse

Timeline:
- Discovered: Apr–May 2025
- Vendor notified: May–Nov 2025
- CVE reserved: July 2025
- Public disclosure: November 2025

Mitigations:
Remove debug panels from production; enforce authentication and RBAC; restrict access behind VPN.

=====================================================================
CVE-2025-52023 — Verbose Error Message Exposure in Aptsys gemscms Backend
=====================================================================

Vendor: Aptsys
Product: gemscms backend
Impact: Disclosure of internal file paths, stack traces, code fragments
Type: Information Disclosure (CWE-209)
Status: Not fixed; no vendor response.

Summary:
Malformed GET/POST requests to gemscms backend APIs trigger unhandled exceptions that expose verbose PHP error messages and stack traces, revealing sensitive internal server information.

Description:
During normal app usage in May 2025, internal PHP errors containing file paths and code snippets were returned to unauthenticated users. This behavior can be triggered at multiple public API endpoints.

Impact:
- Leakage of sensitive backend internals
- Data useful for further attacks (SQLi, LFI, RCE)
- Increased attack surface for enumeration

Timeline:
- Discovered: May 2025
- Vendor notified: May–Nov 2025
- CVE reserved: July 2025
- Public disclosure: November 2025

Mitigations:
Disable verbose errors in production; implement centralized sanitized error handling.

=====================================================================
CVE-2025-52022 — Verbose Error Message Exposure in Aptsys gemsloyalty Backend
=====================================================================

Vendor: Aptsys
Product: gemsloyalty backend
Impact: Disclosure of internal file paths, stack traces, code fragments
Type: Information Disclosure (CWE-209)
Status: Vendor has not acknowledged the issue.

Summary:
The Aptsys gemsloyalty backend leaks sensitive internal details through verbose PHP error messages when invalid requests are sent to public endpoints.

Description:
Similar to CVE-2025-52023 but occurring on the gemsloyalty backend infrastructure. Attackers can trigger exceptions and receive full diagnostic output.

Impact:
- Disclosure of server paths and backend logic
- Reveals framework, variable names, and partial code
- Aids subsequent exploitation attempts

Timeline:
- Discovered: May 2025
- Vendor notified: May–Nov 2025
- CVE reserved: July 2025
- Public disclosure: November 2025

Mitigations:
Disable debug/error output in production; implement proper input validation and error handling.

=====================================================================
END OF COMBINED ADVISORY
=====================================================================
	Public Advisory: CVE-2025-52022, 52023, 52024, 52025, 52026 — Combined Public Advisory for Aptsys gemscms & gemsloyalty Vulnerabilities
	Reporter: Independent Security Researcher
	Date: November 2025
	Note: Sensitive details redacted to protect unpatched systems.

	=====================================================================
	CVE-2025-52026 — Unauthenticated Data Exposure in Aptsys gemscms Backend
	=====================================================================

	Vendor: Aptsys (http://aptsys.com.sg/)
	Product: gemscms backend (POS platform)
	Impact: Exposure of staff account details (emails, usernames, MD5 hashes)
	Type: Unauthenticated Information Disclosure
	Status: Vendor has not acknowledged; remains unpatched.

	Summary:
	A publicly accessible API endpoint in the Aptsys gemscms backend returns staff/cashier account data including email addresses, usernames, and MD5-hashed passwords. MD5 hashes are reversible, allowing attackers to recover plaintext passwords and impersonate users.

	Description:
	During normal use of an Aptsys-powered mobile application in May 2025, an unauthenticated API call was found to expose staff account details. No authentication is required, and the endpoint is accessible in production deployments across multiple customers.

	Attack Vector:
	Remote attacker sends HTTP GET/POST request to a public API path. No authentication or token is needed.

	Impact:
	- Disclosure of sensitive staff account data
	- Plaintext password recovery through MD5 cracking
	- Unauthorized POS or backend access

	Timeline:
	- Discovered: May 2025
	- Vendor notified repeatedly: May–Nov 2025
	- CVE reserved: July 2025
	- Public disclosure: November 2025

	Mitigations:
	Enforce authentication, remove password hashes from API responses, replace MD5 with modern password hashing (Argon2/bcrypt).

	=====================================================================
	CVE-2025-52025 — SQL Injection Vulnerability in Aptsys gemscms Backend
	=====================================================================

	Vendor: Aptsys
	Product: gemscms backend (POS platform)
	Impact: Unauthorized SQL execution; data leakage or modification
	Type: SQL Injection
	Status: Unpatched; vendor did not respond.

	Summary:
	A backend API that processes a restaurant identifier parameter concatenates user input directly into SQL queries without sanitization or parameterization, allowing remote unauthenticated attackers to inject arbitrary SQL.

	Description:
	Discovered during normal use of an Aptsys client application in May 2025. Malicious SQL payloads can be injected through a POST parameter, enabling database manipulation.

	Impact:
	- Extraction of sensitive customer/business data
	- Modification or deletion of records
	- Potential full database compromise

	Timeline:
	- Discovered: May 2025
	- Vendor notified: May–Nov 2025
	- CVE reserved: July 2025
	- Public disclosure: November 2025

	Mitigations:
	Implement prepared statements, sanitize user input, restrict endpoint access, deploy WAF rules.

	=====================================================================
	CVE-2025-52024 — Exposed Developer Web Services Panel in Aptsys gemscms Backend
	=====================================================================

	Vendor: Aptsys
	Product: gemscms POS Platform (backend)
	Impact: Unauthorized access to internal developer panels and backend functions
	Type: Security Misconfiguration / Unauthenticated Access
	Status: Unpatched; vendor silent.

	Summary:
	Production deployments of the Aptsys POS Web Services module expose developer/QA testing panels to the public internet. These interfaces list dozens of internal backend endpoints and allow direct execution of POS and business-logic operations without authentication.

	Description:
	Panels accessible via predictable URL paths provide HTML forms for live execution of backend APIs such as credit adjustments, order management, and user account operations.

	Impact:
	- Full discovery of internal APIs
	- Execution of sensitive backend operations
	- Possible IDOR, SSRF, or business logic abuse

	Timeline:
	- Discovered: Apr–May 2025
	- Vendor notified: May–Nov 2025
	- CVE reserved: July 2025
	- Public disclosure: November 2025

	Mitigations:
	Remove debug panels from production; enforce authentication and RBAC; restrict access behind VPN.

	=====================================================================
	CVE-2025-52023 — Verbose Error Message Exposure in Aptsys gemscms Backend
	=====================================================================

	Vendor: Aptsys
	Product: gemscms backend
	Impact: Disclosure of internal file paths, stack traces, code fragments
	Type: Information Disclosure (CWE-209)
	Status: Not fixed; no vendor response.

	Summary:
	Malformed GET/POST requests to gemscms backend APIs trigger unhandled exceptions that expose verbose PHP error messages and stack traces, revealing sensitive internal server information.

	Description:
	During normal app usage in May 2025, internal PHP errors containing file paths and code snippets were returned to unauthenticated users. This behavior can be triggered at multiple public API endpoints.

	Impact:
	- Leakage of sensitive backend internals
	- Data useful for further attacks (SQLi, LFI, RCE)
	- Increased attack surface for enumeration

	Timeline:
	- Discovered: May 2025
	- Vendor notified: May–Nov 2025
	- CVE reserved: July 2025
	- Public disclosure: November 2025

	Mitigations:
	Disable verbose errors in production; implement centralized sanitized error handling.

	=====================================================================
	CVE-2025-52022 — Verbose Error Message Exposure in Aptsys gemsloyalty Backend
	=====================================================================

	Vendor: Aptsys
	Product: gemsloyalty backend
	Impact: Disclosure of internal file paths, stack traces, code fragments
	Type: Information Disclosure (CWE-209)
	Status: Vendor has not acknowledged the issue.

	Summary:
	The Aptsys gemsloyalty backend leaks sensitive internal details through verbose PHP error messages when invalid requests are sent to public endpoints.

	Description:
	Similar to CVE-2025-52023 but occurring on the gemsloyalty backend infrastructure. Attackers can trigger exceptions and receive full diagnostic output.

	Impact:
	- Disclosure of server paths and backend logic
	- Reveals framework, variable names, and partial code
	- Aids subsequent exploitation attempts

	Timeline:
	- Discovered: May 2025
	- Vendor notified: May–Nov 2025
	- CVE reserved: July 2025
	- Public disclosure: November 2025

	Mitigations:
	Disable debug/error output in production; implement proper input validation and error handling.

	=====================================================================
	END OF COMBINED ADVISORY
	=====================================================================
No results found