CVE Catalog

CVE-2025-52022

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

33th percentile - higher than 33% of all known CVEs

Summary

A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg (up to 2025-05-28) allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This is achieved by sending specially crafted HTTP GET/POST requests to public API endpoints.

Risk Assessment

Exposure of internal file paths, code snippets, and stack traces can aid attackers in further exploitation, including identifying vulnerable components and planning attacks.

Recommendation

Immediately update the application to the latest version and configure the production environment to suppress detailed error messages (e.g., disable display_errors in PHP).

Original NVD description (English source)

A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS