MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later. References: https://phabricator.wikimedia.org/T268938 https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1909235]
External References: https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html