A user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard.
The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.
There’s no easy workaround for this issue, it is recommended to upgrade XWiki.
https://jira.xwiki.org/browse/XWIKI-17794
If you have any questions or comments about this advisory:
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc
github.com/xwiki/xwiki-platform/security/advisories/GHSA-h353-hc43-95vc
jay-from-future.github.io/cve/2021/06/17/xwiki-rce-cve.html
jira.xwiki.org/browse/XWIKI-17794
nvd.nist.gov/vuln/detail/CVE-2021-32621