Our security team detected a bug that allows a normal user to gain access to some admin pages, it involves putting a certain link after signing in.
These are the steps required to reproduce the issue with the Demo website.
1.- Go to the dspace demo website http://demo.dspace.org/jspui/ (right now it has a 5.4 Dspace implementation)
2.- Sign in as a normal user (for example I created a new user email@example.com )
3.- Put the following link in the web browser http://demo.dspace.org/jspui/tools/authorize
4.- As a result we are getting a "Administer Authorization Policies" page that belongs to the admin user