Steps to reproduce:
- As a user without script right, add the syntax
to any place an admin might visit (e.g., a comment on the main document). Optionally, hide the image from view by positioning it outside the view using, e.g., a large negative margin.
- Wait for an admin to view that image (or, for reproduction, just view the document as an admin).
No log message is produced as no code is executed (or maybe a message for a missing CSRF token is displayed).
Log messages in the form
are displayed, showing that the Velocity code has been executed. The script is executed with the rights of the admin user, thus granting programming right. While the length of the title is limited, it should be possible to load and evaluate further code, e.g., from a document that the attacker controls.
This demonstrates a successful CSRF attack with remote code execution. This is similar to
XWIKI-20386 just with the create action. It is probably similarly old.