Aptsys gemscms Backend Verbose Error Message Exposure Vulnerability

A vulnerability exists in the PHP backend of Aptsys gemscms, affecting versions through May 28, 2025. It allows unauthenticated remote attackers to send specially crafted HTTP GET or POST requests to public API endpoints, triggering detailed error messages that disclose internal file paths, code snippets, and stack traces. This information leakage, classified under CWE-209, could be exploited for further attacks.

Impact

The vulnerability exposes sensitive internal server information, including file paths and code fragments, through unhandled PHP exceptions. This leakage could facilitate subsequent exploitation attempts, such as SQL injection, local file inclusion, or remote code execution, and increase the attack surface for enumeration.

Reproduction

The vulnerability can be reproduced by sending malformed HTTP GET or POST requests to public API endpoints on the Aptsys gemscms backend. This will trigger unhandled exceptions that expose verbose PHP error messages, including internal file paths, code snippets, and stack traces.

Remediation

To address this vulnerability, disable verbose error reporting in production environments and implement centralized error handling that sanitizes output. Additionally, the vendor should be encouraged to acknowledge and patch the issue.