CVE Catalog

CVE-2025-52023

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

33th percentile - higher than 33% of all known CVEs

Summary

A vulnerability in the PHP backend of gemscms.aptsys.com.sg (through May 28, 2025) allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This is achieved by sending specially crafted HTTP GET/POST requests to public API endpoints.

Risk Assessment

Exposure of internal file paths and code snippets can aid an attacker in further exploitation, such as identifying vulnerable components or preparing a targeted attack.

Recommendation

Immediately update gemscms to the latest version and configure the production environment to suppress detailed error messages (e.g., disable debug mode in PHP).

Original NVD description (English source)

A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS