Reflected XSS is possible on Special:GlobalGroupPermissions through the wpGroup parameter if the user does not have permission to edit groups and if they do not have editinterface.
Steps to reproduce:
- Either log out or login as a user without editinterface and globalgrouppermissions
- Navigate to the following URL in Firefox (to ease verification): https://www.mediawiki.org/wiki/Special:GlobalGroupPermissions?wpGroup=%3Cscript%3Ealert%28document.domain%29%3C/script%3E
- You should see the script is executed for the "Name of group", "Localised name of group", and "Localised name of group members" fields