CVE-2025-54990
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | 1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in XWiki AdminTools allows users without admin rights to access the AdminTools.SpammedPages page. Although non-admin users cannot see any data on this page, the page itself is accessible to them. This issue existed prior to version 1.1 and has been fixed in that version by restricting view rights to only admin users or the XWikiAdminGroup.
How can this vulnerability impact me? :
The impact of this vulnerability is limited since non-admin users cannot view any data on the accessible page. However, unauthorized access to the AdminTools.SpammedPages page could potentially expose the system to information disclosure risks or be used as a vector for further attacks. The CVSS score of 5.3 indicates a moderate severity with limited confidentiality impact and no integrity or availability impact.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade XWiki AdminTools to version 1.1 or later where the issue is patched. Alternatively, as a workaround, set the view rights for the AdminTools space to be accessible only by the XWikiAdminGroup to restrict access to AdminTools.SpammedPages.