The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true). References: https://phabricator.wikimedia.org/T307028 https://gerrit.wikimedia.org/r/c/787807
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 2081079]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-29969