Cross-site scripting (XSS) vulnerability in the LoginToboggan module 5.x-1.x-dev before 20070712 for Drupal allows remote authenticated users with βadminister blocksβ permission to inject arbitrary JavaScript and gain privileges via βthe message displayed above the default user login block.β