If a role name has malicious XSS, it gets executed in the config page (admin/config/media/imce). I attach the patch.
This is not a security issue since creating roles requires high level permission. I reported in the security site (that's why patch file has no correct issue-id in the name) but klausi told me to report it here as critical.

CommentFileSizeAuthor
imce-xss_admin_page-93718-1.patch759 bytesgrisendo
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

ufku’s picture

ufku CreditAttribution: ufku commented
Status: Active » Fixed

Committed thanks.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

(not verified) CreditAttribution: commented
Issue summary: View changes

Change @klausi to klausi's drupal.org profile URL