Summary
Missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can edit any page
Details
The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution
Poc
As a user add the panel macro and in the classes parameter input ' %)((({{async}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/async}} or just using viewing rights using https://jira.xwiki.org/browse/XWIKI-20449
Summary
Missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can edit any page
Details
The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution
Poc
As a user add the panel macro and in the classes parameter input ' %)((({{async}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/async}} or just using viewing rights using https://jira.xwiki.org/browse/XWIKI-20449