Fluid Attacks Database

Description

XWiki AdminTools application doesn't set permissions on the AdminTools space

Impact

Users without admin rights have access to AdminTools.SpammedPages.

Details

View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible.

Workarounds

Set the view rights for the AdminTools space to be only available for the XWikiAdminGroup.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.xwiki.admintools:application-admintools	>=0 <1.1	1.1

Aliases

1. CVE-2025-549902. NVD-2025-549903. OSV-2025-549904. GHSA-v7r8-8p5c-h4xw5. GCVE-2025-54990

References

1. https://github.com/xwikisas/application-admintools/security/advisories/GHSA-v7r8-8p5c-h4xw