If a role name has malicious XSS, it gets executed in the config page (admin/config/media/imce). I attach the patch.
This is not a security issue since creating roles requires high level permission. I reported in the security site (that's why patch file has no correct issue-id in the name) but klausi told me to report it here as critical.

Files: 
CommentFileSizeAuthor
imce-xss_admin_page-93718-1.patch759 bytesgrisendo

Comments

ufku’s picture

Status:Active» Fixed

Committed thanks.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

Issue summary:View changes

Change @klausi to klausi's drupal.org profile URL