Steps to reproduce:
Open <server>/xwiki/bin/view/Main?sheet=CKEditor.HTMLConverter&language=en&sourceSyntax=xwiki%2F2.1&stripHTMLEnvelope=true&fromHTML=false&toHTML=true&text=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D where <server> is the URL of your XWiki installation as a user with programming rights.
An error is displayed because no CSRF token was supplied.
The text "Hello from Groovy!" is displayed.
This demonstrates that a simple get request without CSRF token can trigger remote code execution. This means if an attacker manages to get a user with programming rights to do one of the following he/she can execute arbitrary Groovy/Python/... code:
- Trick the victim to click on a link with the attack code.
- Trick the victim to visit a website that includes the URL as the source of an image. In modern browsers, this needs to be on the same domain as otherwise cookies aren't sent, it could be in the wiki (e.g., in a comment).
The affects version is the version I've reproduced this with, I think this should be reproducible in all versions of the CKEditor integration as I couldn't see anything that would prevent the attack.