GHSA-V7R8-8P5C-H4XW

Vulnerability from github – Published: 2025-11-18 17:42 – Updated: 2025-11-19 14:22
VLAI?
Summary
XWiki AdminTools application doesn't set permissions on the AdminTools space
Details

Impact

Users without admin rights have access to AdminTools.SpammedPages.

Details

View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible.

Workarounds

Set the view rights for the AdminTools space to be only available for the XWikiAdminGroup.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.xwiki.admintools:application-admintools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-18T17:42:53Z",
    "nvd_published_at": "2025-11-18T23:15:48Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUsers without admin rights have access to `AdminTools.SpammedPages`. \n\n### Details\nView rights are not restricted only to admin users for `AdminTools.SpammedPages`. While no data is visible to non admin users, the page is still accessible.\n\n### Workarounds\nSet the view rights for the `AdminTools` space to be only available for the `XWikiAdminGroup`.",
  "id": "GHSA-v7r8-8p5c-h4xw",
  "modified": "2025-11-19T14:22:45Z",
  "published": "2025-11-18T17:42:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwikisas/application-admintools/security/advisories/GHSA-v7r8-8p5c-h4xw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54990"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwikisas/application-admintools"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki AdminTools application doesn\u0027t set permissions on the AdminTools space"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.