Special:ExpandTemplates parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This is an XSS vulnerability when $wgRawHTML = true. It is easy to reproduce and exploit:
Version: unspecified
Severity: normal
URL: http://wikimediafoundation.org/w/index.php?title=Special:ExpandTemplates&wpInput=%3Chtml%3E%3Cscript%3Ealert%281%29%3C/script%3E%3C/html%3E