Privilege escalation (PR) from view right via Invitation application

Steps to reproduce:

Open <xwiki-host>/xwiki/bin/view/%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=Invitation.InvitationGuestActions&xpage=view where <xwiki-host> is the URL of your XWiki installation.

Expected result:

The text "This page is used by the invitation application" is displayed.

Actual result:

The text This page is used by the invitation application Hello from groovy!.WebHome]] is displayed. This shows that the Groovy macro in the document reference has been executed and thus demonstrates a privilege escalation from view to programming rights.

Similar attacks are possible on other documents of the invitation application but with different preconditions, here the status for all documents besides Invitation.InvitationGuestActions:

• Invitation.InvitationMemberActions: only for members of XWiki.XWikiAllGroup, i.e., needs an account or interaction of a user of that group.
• Invitation.InvitationMailClass: only for admins/with the interaction of a user of that group.
• Invitiation.InvitationCommon, Invitation.InvitationMembersCommon: requires an exploit reference that has the correct name, i.e., is a terminal document which requires creating that terminal document first as it is currently not possible to be on a non-existing terminal document. This therefore currently requires edit rights on at least one space, otherwise the former would be available for guests, the latter requires an account (i.e., XWiki.XWikiAllGroup).
• Invitation.InvitationConfig: not exploitable.

Note that due to the lack of a CSRF check "interaction" means visiting an attacker-generated URL or displaying a document that contains the attack URL as image reference.

This issue exploits a translation parameter and might thus also be fixed by XWIKI-19749 depending on the chosen fix.