Steps to reproduce:
- As a user without script or programming rights, edit your user profile with the object editor and add a new object of type XWiki.SchedulerJobClass (search for "Scheduler").
- In "Job Script", add the following
- Click "Save & View"
- If the job information isn't already displayed (you should see "Job Name", "Job Description", etc.), append ?sheet=XWiki.SchedulerJobSheet to the URL.
Under "Job script" the text
Under "Job script", the text
This shows that a user without script or programming rights has successfully executed a Groovy macro and thus gained programming rights. Therefore, this is a privilege escalation vulnerability from account to programming rights.