Summary
Missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can edit any page
Details
The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution
Poc
As a user add the panel macro and in the classes parameter input ' %)((({{async}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/async}} or just using viewing rights using https://jira.xwiki.org/browse/XWIKI-20449
Summary
Missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can edit any page
Details
The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution
Poc
As a user add the panel macro and in the classes parameter input ' %)((({{async}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/async}} or just using viewing rights using https://jira.xwiki.org/browse/XWIKI-20449