Just found that when you add a campaign in CentralNotice, the name is not validated or sanitized. Malicious JS code can be trivially injected and run on a user's browser.
Note: Please don't try the following on any public wiki, including test wikis or the beta cluster!! Please only use a local install of Mediawiki.
Locally, I was able to add a campaign named <script>alert('foo')</script>. When I clicked on the URL for this campaign, the code ran in my browser.
The campaign name is set directly in the database with no sanitization other than that provided by Mediawiki's DB classes. See SpecialCentralNotice.php and Campaign.php.
In view of this heinousness, we should carefully check all CN code for adding a campaign, changing settings, and displaying campaign info in the browser. Sanitizaiton should be added.
Only a handful of people have administration rights on CentralNotice, and only those people could perform the action described above. CentralNotice itself allows easy JS, HTML and CSS injection into almost any production wiki--that's what it's for, really. However, I imagine that if a CN admin's account were compromised, the lack of sanitation might be leveraged without the account's compromise getting noticed quickly.