Privilege escalation (PR) from account through AdminImportSheet/importinline.vm

Steps to reproduce:

1. On any document you have write access to (can be the user profile) upload the attached file mailicious.xar as a user without script, admin or programming rights.
2. Open the document with URL parameters sheet=XWiki.AdminImportSheet&file=malicious.xar.

Expected result:

Some error that the user cannot use the import functionality or the import file description with

XWiki{{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello" + " from Groovy!"){{/groovy}}

dispalyed as author of the package.

Actual result:

Failed to execute the [html] macro. Cause: [When using HTML content inline, you can only use inline HTML content. Block HTML content (such as tables) cannot be displayed. Try leaving an empty line before and after the macro.]. Click on this message for details.

Hello from Groovy!</span>

followed by some raw HTML. This shows that the Groovy macro found in the XAR file has been executed. Similar attacks are also possible using other fields of the package definition as importinline.vm doesn't do any escaping and XWiki.AdminImportSheet includes this template in an HTML macro without further safety measures.

This demonstrates a privilege escalation attack from account rights (that include edit rights on the profile) to programming rights.