A user without program permission but with script permission and permission to edit wiki content can read the content on the xwiki server, such as the xwiki.cfg file with the superadmin password.
xwiki 13.5 standalone.
After the vulnerability of https://jira.xwiki.org/browse/XWIKI-17141, xwiki upgraded its velocity core and restricted the execution of java code through program permissions.
But xwiki also exposes many other variables, such as:
We found that an attacker can read sensitive files on the server and echo them to the server by calling $xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg").
This issue may lead to a local file read.
The parameter passed to servletRequest.getRequestDispatcher before executing should be restricted or add program permission for this function.