Package Instance

XWiki Platform remote code execution from account via custom skins support
Any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution.

To reproduce, as a user without edit, script or admin right, add an object of class `XWiki.XWikiSkins` to your profile. Name it whatever you want and set the Base Skin to `flamingo`.
Add an object of class `XWikiSkinFileOverrideClass` and set the path to `macros.vm` and the content to:
```

XWiki Platform: Privilege escalation (PR) from user registration through PDFClass
Remote code execution is possible via PDF export templates.
To reproduce on an installation, register a new user account with username `PDFClass` if `XWiki.PDFClass` does not exist.
On `XWiki.PDFClass`, use the class editor to add a "style" property of type "TextArea" and content type "Plain Text".
Then, add an object of class `PDFClass` and set the "style" attribute to `$services.logging.getLogger('PDFClass').error("I got programming: $services.security.authorization.hasAccess('programming')")`.
Finally, go to `<host>/xwiki/bin/export/Main/WebHome?format=pdf&pdftemplate=XWiki.PDFClass`. If the logs contain "ERROR PDFClass - I got programming: true", the instance is vulnerable.