Croogo prior to 3.0.7 allows XSS via the title to admin/menus/menus or admin/taxonomy/vocabularies.
croogo croogo