Content type names (from /admin/content/node-type/blog - enter javascript into the Name) are vulnerable to xss on
admin/messaging/notifications/content

The intervals on admin/messaging/notifications/intervals will execute Javascript on
user/UID/notifications/subscriptions. These are mitigated by the fact that it requires “administer content types” and “administer site
configuration” to exploit, respectively.

Given that these require advanced permissions they can be discussed/fixed publicly. http://drupal.org/security-advisory-policy