Is a bit similar to T285515: CVE-2021-41798: XSS vulnerability in Special:Search.
Steps to reproduce
- Perform a CheckUser request so that the CheckUser log is not empty.
- Set MediaWiki:October to <img src=x onerror=alert(1)>
- Go to Special:CheckUserLog
- Enjoy your alert box.
This is possible due to the date value not being escaped.
$rowContent = $this->msg( 'checkuser-log-entry-' . $row->cul_type, $user, $target, $lang->userTimeAndDate( wfTimestamp( TS_MW, $row->cul_timestamp ), $contextUser ), $lang->userDate( wfTimestamp( TS_MW, $row->cul_timestamp ), $contextUser ), $lang->userTime( wfTimestamp( TS_MW, $row->cul_timestamp ), $contextUser ) )->text();