MediaWiki is vulnerable to cross-site scripting (XSS). Allowing an attacker to modify messages is include raw HTML which NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier.
gerrit.wikimedia.org/g/mediawiki/core/+/ad4a3ba45fb955aa8c0eb3c83809b16b40a498b9/includes/specials/SpecialContributions.php#592
lists.fedoraproject.org/archives/list/[email protected]/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/
lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html
lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html
security-tracker.debian.org/tracker/CVE-2020-25812