Mediawiki · Cosmos Skin · CVE-2020-27620
**Name of the Vulnerable Software and Affected Versions**
The Cosmos Skin for MediaWiki versions through 1.35.0
**Description**
The issue is related to stored XSS due to MediaWiki messages not being properly escaped. This is associated with `wfMessage` and `Html::rawElement`, as shown by `CosmosSocialProfile::getUserGroups`.
**Recommendations**
For versions through 1.35.0, update to a version that properly escapes MediaWiki messages to prevent stored XSS.
As a temporary workaround, consider restricting the use of `wfMessage` and `Html::rawElement` until a patch is available.
Restrict access to `CosmosSocialProfile::getUserGroups` to minimize the risk of exploitation.