CVE-2025-55948
BaseFortify
Publication date: 2025-12-04
Last updated on: 2025-12-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yzcheng90 | x-springboot | 6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in yzcheng90 X-SpringBoot 6.0's role-based access control system, which relies on both frontend menu systems and backend permission tables. The issue is that updates to the frontend menus, such as revoking privileges, are not atomically synchronized with the backend permission tables. As a result, while the user interface correctly hides restricted functions, the backend permissions remain outdated and still allow unauthorized API access. Attackers can exploit this desynchronization to perform privileged actions like creating high-permission user accounts, accessing sensitive data, and executing admin-level commands.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass frontend access restrictions and perform unauthorized privileged operations. They may create user accounts with elevated permissions, access sensitive data beyond their clearance, and execute administrative commands. This can lead to data breaches, unauthorized system changes, and potential compromise of the entire application or system.