Unclear how exploitable this actually is.
Basic issue, in "includes/MWException.php" line 112, the internalerror-fatal-exception uses ->text() instead of ->escaped(). Furthermore, one of the parameters (the url) is semi-user controlled.
- Set $wgShowExceptionDetails = false; (the default)
- Make a page that somehow triggers a MWException
- append &uselang=qqx to the url so all parameters are shown
- append &foo=<script>alert(1)</script>
- Maybe you get an xss. This will depend on user-agent. Firefox, chrome and safari (in my limitted testing) seems to always percent encode < and > in the HTTP request. curl on the other hand does not. I have no idea if there exists generally used browsers which are vulnerable.
I guess we should treat this as an actual xss just in case?