Incomplete blacklist vulnerability in includes/upload/UploadBase.php in
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2
allows remote attackers to inject arbitrary web script or HTML via an
application/xml MIME type for a nested SVG with a data: URI.