CVE-2025-52026

Name of the Vulnerable Software and Affected Versions Aptsys gemscms backend platform versions prior to 2025-05-29

Description An information disclosure issue exists in the /srvs/membersrv/getCashiers API endpoint of the Aptsys gemscms backend platform. This unauthenticated endpoint reveals a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. Due to MD5 being a compromised cryptographic function, these hashes can be readily reversed using publicly available tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive Point of Sale (POS) operations or backend functions.

Recommendations Versions prior to 2025-05-29 should be updated. As a temporary workaround, restrict access to the /srvs/membersrv/getCashiers endpoint.