Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles