CVE-2025-54990
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-18

Last updated on: 2025-11-18

Assigner: GitHub, Inc.

Description
XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible. This issue has been patched in version 1.1. A workaround involves setting the view rights for the AdminTools space to be only available for the XWikiAdminGroup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-18
Last Modified
2025-11-18
Generated
2026-06-16
AI Q&A
2025-11-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-54990
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xwiki xwiki 1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in XWiki AdminTools allows users without admin rights to access the AdminTools.SpammedPages page. Although non-admin users cannot see any data on this page, the page itself is accessible to them. This issue existed prior to version 1.1 and has been fixed in that version by restricting view rights to only admin users or the XWikiAdminGroup.

Impact Analysis

The impact of this vulnerability is limited since non-admin users cannot view any data on the accessible page. However, unauthorized access to the AdminTools.SpammedPages page could potentially expose the system to information disclosure risks or be used as a vector for further attacks. The CVSS score of 5.3 indicates a moderate severity with limited confidentiality impact and no integrity or availability impact.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade XWiki AdminTools to version 1.1 or later where the issue is patched. Alternatively, as a workaround, set the view rights for the AdminTools space to be accessible only by the XWikiAdminGroup to restrict access to AdminTools.SpammedPages.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-54990. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart