Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If a role name has malicious XSS, it gets executed in the config page (admin/config/media/imce). I attach the patch.
This is not a security issue since creating roles requires high level permission. I reported in the security site (that's why patch file has no correct issue-id in the name) but klausi told me to report it here as critical.
Comment | File | Size | Author |
---|---|---|---|
imce-xss_admin_page-93718-1.patch | 759 bytes | grisendo | |
Comments
Comment #1
ufku CreditAttribution: ufku commentedCommitted thanks.
Comment #2.0
(not verified) CreditAttribution: commentedChange @klausi to klausi's drupal.org profile URL