CVE-2025-52024

Name of the Vulnerable Software and Affected Versions Aptsys POS Platform Web Services versions prior to 2025-05-29

Description The Aptsys POS Platform Web Services module contains a flaw that allows unauthenticated users to access internal API testing tools. Accessing specific URLs reveals a directory listing of backend services and POS web services, complete with HTML forms for submitting test input. These tools, intended for developers, are accessible in production without authentication or session validation. This allows external actors to discover, test, and execute API endpoints that perform critical functions, including user transaction retrieval, credit adjustments, POS actions, and internal data queries. The affected API endpoints include those for user transaction retrieval, credit adjustments, POS actions, and internal data queries.

Recommendations Versions prior to 2025-05-29 should be updated.