mediawiki -- authenticated CSRF vulnerability

A MediaWiki security announcement reports:

MediaWiki was found to be vulnerable to login CSRF.
An attacker who controls a user account on the target
wiki can force the victim to log in as the attacker,
via a script on an external website.
If the wiki is configured to allow user scripts, say
with “$wgAllowUserJs = true” in LocalSettings.php, then
the attacker can proceed to mount a phishing-style
attack against the victim to obtain their password.