Steps to reproduce:
Open <xwiki-host>/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration?since=%7B%7B%2Fhtml%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+%22+%2B+%22from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D, where <xwiki-host> is the URL of your XWiki installation.
The document displays as if if was opened without a parameter as the passed value isn't a valid date.
is displayed, followed by raw HTML code. This demonstrates an XWiki syntax injection attack via the since-parameter, allowing privilege escalation from view to programming rights.
This document has been freshly introduced in XWiki 14.6 as part of
XWIKI-19826 but the same code previously existed in a template of the distribution wizard. This can be exploited similar to the steps detailed in XWIKI-19852 via the template macro either via the user account or via CKEditor's HTMLConverter or directly via xpart.vm as shown in XWIKI-19558 before this issue had been fixed (XWiki versions before 13.10.5 and 14.3-rc-1).