Steps to reproduce
- Log in as a user without script rights.
- Set your first name to
is displayed as first name.
The username in the profile is Hello from groovy!
This demonstrates a privilege escalation attack to programming rights. I don't know yet why or how this works as this was primarily a surprise result while trying to reproduce another vulnerability.
I've also verified that you can actually do dangerous stuff, for example
sets the wiki's owner to the given user id.
The affects version is only the version I reproduced the issue on, this is quite likely much older.