If a role name has malicious XSS, it gets executed in the config page (admin/config/media/imce). I attach the patch.
This is not a security issue since creating roles requires high level permission. I reported in the security site (that's why patch file has no correct issue-id in the name) but klausi told me to report it here as critical.

imce-xss_admin_page-93718-1.patch759 bytesgrisendo
Members fund testing for the Drupal project. Drupal Association Learn more


ufku’s picture

Status: Active » Fixed

Committed thanks.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

Issue summary: View changes

Change @klausi to klausi's drupal.org profile URL