The resource loader in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information.
Gentoo Linux Security Advisory 201206-9 - Multiple vulnerabilities have been found in MediaWiki, the worst of which leading to remote execution of arbitrary code. Versions less than 1.18.2 are affected.