Steps to reproduce
- As a user with programming rights, create a new AWM application with a field of type short text.
- As a user with just edit rights, create a new entry in the AWM application with content
in the short text field
is displayed in the text field.
The value Hello from groovy! is displayed.
This demonstrates a privilege escalation attack from edit to programming rights. This can be exploited on any AWM application that has been created by a user with programming rights and contains a text field that is not the title. I haven't checked if other fields are exploitable, too. From what I've seen, the demo applications don't contain such a field. As this should be a common situation, I don't see that this limits the applicability of the attack.
The affects version is only the version I reproduced this on, this should also affect much older versions of XWiki.