GHSA-9hqh-fmhg-vq2j

### Impact
Any user with the right to edit his personal page can follow one of the scenario below:

**Scenario 1**:
- Log in as a simple user with just edit rights on the user profile
- Go to the user's profile
- Upload an attachment in the attachment tab at the bottom of the page (any image is fine)
- Click on "rename" in the attachment list and enter `{{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png` as new attachment name and submit the rename
- Go back to the user profile
- Click on the edit icon on the user avatar
- `Hello from groovy!` is displayed as the title of the attachment

**Scenario 2**:
- Log in as a simple user with just edit rights on a page
- Create a Page `MyPage.WebHome`
- Create an XClass field of type String named `avatar`
- Add an XObject of type `MyPage.WebHome` on the page
- Insert an `attachmentSelector` macro in the document with the following values:
- **classname**: `MyPage.WebHome`
- **property**: `avatar`
- **savemode**: `direct`
- **displayImage**: `true`
- **width**: `]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}`. You'll find below a snippet of an `attachmentSelector` macro declaration.
- Display the page
- Use the attachment picker to select an image
- `Hello from groovy` is displayed aside the image

Example of an `attachmentSelector` macro declaration:
```
`{{attachmentSelector classname="MyPage.WebHome" property="avatar" savemode="direct" displayImage="true" width="]] {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from groovy!~"){{/groovy~}~}{{/async~}~}"/}}`
```

**Note**: The issue can also be reproduced by inserting the dangerous payload in the `height` or `alt` macro properties.

### Patches
The issue can be fixed on a running wiki by updating `XWiki.AttachmentSelector` with the versions below:

- 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
- 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
- 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23

### Workarounds
No known workaround.

### References
- https://jira.xwiki.org/browse/XWIKI-19800

### For more information
If you have any questions or comments about this advisory:
- Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
- Email us at [Security Mailing List](mailto:[email protected])