GHSA-v7r8-8p5c-h4xw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v7r8-8p5c-h4xw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-v7r8-8p5c-h4xw/GHSA-v7r8-8p5c-h4xw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v7r8-8p5c-h4xw
- Aliases
-
- CVE-2025-54990
- Published
- 2025-11-18T17:42:53Z
- Modified
- 2025-11-18T18:12:51.450922Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- XWiki AdminTools application doesn't set permissions on the AdminTools space
- Details
-
Impact
Users without admin rights have access to
AdminTools.SpammedPages.Details
View rights are not restricted only to admin users for
AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible.Workarounds
Set the view rights for the
AdminToolsspace to be only available for theXWikiAdminGroup. - Database specific
{ "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-276" ], "nvd_published_at": null, "github_reviewed_at": "2025-11-18T17:42:53Z" }- References
Affected packages
Maven / com.xwiki.admintools:application-admintools
Package
- Name
- com.xwiki.admintools:application-admintools
- View open source insights on deps.dev
- Purl
- pkg:maven/com.xwiki.admintools/application-admintools