Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file uploads, a remote attacker with a low-privileged user account can use this exploit to become an administrator by sending a malicious link to the instance administrator. Reference: https://fluidattacks.com/advisories/blondie/
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 2240808]