ghsa-v7r8-8p5c-h4xw
Vulnerability from github
Published
2025-11-18 17:42
Modified
2025-11-19 14:22
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
XWiki AdminTools application doesn't set permissions on the AdminTools space
Details

Impact

Users without admin rights have access to AdminTools.SpammedPages.

Details

View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible.

Workarounds

Set the view rights for the AdminTools space to be only available for the XWikiAdminGroup.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.xwiki.admintools:application-admintools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-18T17:42:53Z",
    "nvd_published_at": "2025-11-18T23:15:48Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUsers without admin rights have access to `AdminTools.SpammedPages`. \n\n### Details\nView rights are not restricted only to admin users for `AdminTools.SpammedPages`. While no data is visible to non admin users, the page is still accessible.\n\n### Workarounds\nSet the view rights for the `AdminTools` space to be only available for the `XWikiAdminGroup`.",
  "id": "GHSA-v7r8-8p5c-h4xw",
  "modified": "2025-11-19T14:22:45Z",
  "published": "2025-11-18T17:42:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwikisas/application-admintools/security/advisories/GHSA-v7r8-8p5c-h4xw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54990"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwikisas/application-admintools"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki AdminTools application doesn\u0027t set permissions on the AdminTools space"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.