CVE-2025-54990

XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible. This issue has been patched in version 1.1. A workaround involves setting the view rights for the AdminTools space to be only available for the XWikiAdminGroup.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/xwikisas/application-admintools/security/advisories/GHSA-v7r8-8p5c-h4xw

Configurations

No configuration.

History

18 Nov 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-18 23:15

Updated : 2025-11-19 19:14

NVD link : CVE-2025-54990

Mitre link : CVE-2025-54990

CVE.ORG link : CVE-2025-54990

JSON object : View

Products Affected

No product.

CWE

CWE-276

Incorrect Default Permissions

5.3 /10