Headline

GHSA-v7r8-8p5c-h4xw: XWiki AdminTools application doesn't set permissions on the AdminTools space

Impact

Users without admin rights have access to AdminTools.SpammedPages.

Details

View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible.

Workarounds

Set the view rights for the AdminTools space to be only available for the XWikiAdminGroup.

1 day ago

ghsa

Open in Source

#git #java #maven

GitHub Advisory Database
GitHub Reviewed
CVE-2025-54990

XWiki AdminTools application doesn’t set permissions on the AdminTools space

Package

maven com.xwiki.admintools:application-admintools (Maven)

Impact

Users without admin rights have access to AdminTools.SpammedPages.

Details

View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible.

Workarounds

Set the view rights for the AdminTools space to be only available for the XWikiAdminGroup.

References