Steps to reproduce:
- Create a comment on the wiki with an image with URL /xwiki/bin/view/Admin/RunShellCommand?command=touch%20/tmp/attacked
- Wait for an admin to view the comment.
No file is created in /tmp
A file "attacked" is created in /tmp.
Note that the same attack vector can also be used for XWiki syntax injection by simply echoing the desired syntax prefixed by
which may be more useful to executed Groovy code with programming right.