Aptsys Gemsloyalty Backend Verbose Error Message Exposure Vulnerability

A vulnerability exists in the Aptsys gemsloyalty backend that allows unauthenticated remote attackers to exploit public API endpoints. By sending specially crafted HTTP GET or POST requests, attackers can trigger unhandled exceptions that result in verbose PHP error messages. These messages disclose sensitive internal information, including file paths, code snippets, and stack traces. This information exposure could be leveraged for further exploitation. The vulnerability is present in versions of the gemsloyalty backend through May 28, 2025.

Impact

Exploitation of this vulnerability leads to the disclosure of internal server details, such as file paths and backend logic, including framework information, variable names, and partial code. This leakage can assist in subsequent exploitation attempts, increasing the attack surface for enumeration.

Remediation

To address this vulnerability, Aptsys should disable verbose error reporting in production environments and implement centralized error handling that sanitizes output. Additionally, the vendor should ensure that public API endpoints validate and sanitize incoming requests to prevent the exposure of sensitive information.