Remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList

Steps to reproduce:

1. As a user without script or programming right, edit any page like your user profile with the object editor
2. Add an object of type XWiki.WikiMacroClass
3. Set "Macro Id" to a value like "mymacro", "Macro Name" to any value like "My Test Macro", "Macro Description" to

   {{async}}{{groovy}}println("Hello from User macro!"){{/groovy}}{{/async}}

   , "Macro visibility" to "Current User", "Macro code" to any value like "Hello World!".

4. Save the page
5. Open XWiki.XWikiSyntaxMacrosList (Help -> Macros -> Macro index under "Browse Macros")

Expected result:

The macro description is displayed in the row of the macro as entered or an error is displayed that the user doesn't have script right.

Actual result:

Hello from User macro! is displayed as the content of the description, showing that the Groovy code has been executed, thus demonstrating a successful remote code execution attack. This compromises the confidentiality, integrity and availability of the whole XWiki installation.

This exact vulnerability exists since the introduction of the vulnerable page in XWIKI-14538 but the exactly same vulnerable code was also in the page that this page replaces.