An XSS vulnerability with the MsCalendar extension https://www.mediawiki.org/wiki/Extension:MsCalendar has been fixed. Everyone using the extension should upgrade to version 2.0-1 or higher.
Details available at https://phabricator.wikimedia.org/T133511