An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class. https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/1002175 https://phabricator.wikimedia.org/T357203
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 2279234]