Aptsys Gemscms Backend Information Disclosure Vulnerability

A vulnerability allowing information disclosure exists in the Aptsys gemscms backend platform, specifically in the 'getCashiers' endpoint. This unauthenticated endpoint, available through May 28, 2025, exposes a list of cashier accounts, including names, email addresses, usernames, and passwords hashed with MD5. Given that MD5 is a compromised cryptographic function, these hashes can be easily reversed using publicly available tools, revealing user credentials in plaintext. This vulnerability enables remote attackers to log in without authorization and potentially access sensitive point-of-sale operations or backend functions.

Impact

Exploitation of this vulnerability leads to unauthorized access to staff account details, including emails, usernames, and MD5-hashed passwords. The reversible nature of the MD5 hashes allows for plaintext password recovery, facilitating impersonation of users. This could result in unauthorized access to POS or backend operations.

Remediation

To address this vulnerability, it is recommended to enforce authentication for the endpoint, remove password hashes from API responses, and replace MD5 with a modern password hashing algorithm such as Argon2 or bcrypt.