New versions of MediaWiki have been announced  to fix the following flaw :
XSS vulnerability in MediaWiki before 1.22.7, due to usernames on
Special:PasswordReset being parsed as wikitext. The username on
Special:PasswordReset can be supplied by anyone and will be parsed with
wgRawHtml enabled. Since Special:PasswordReset is whitelisted by default on
private wikis, this could potentially lead to an XSS crossing a privilege
This is corrected  in upstream versions 1.19.16, 1.21.10, and 1.22.7. A CVE has been requested .
Created mediawiki tracking bugs for this issue:
Affects: fedora-all [bug 1104223]
Affects: epel-5 [bug 1104224]
Created mediawiki119 tracking bugs for this issue:
Affects: epel-all [bug 1104225]
Mediawiki 1.21.10 is in testing for both Fedora 19 and 20.
mediawiki119-1.19.18-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.