Drupal Association members fund grants that make connections all over the world.
If a role name has malicious XSS, it gets executed in the config page (admin/config/media/imce). I attach the patch.
This is not a security issue since creating roles requires high level permission. I reported in the security site (that's why patch file has no correct issue-id in the name) but klausi told me to report it here as critical.