Unsanitized output in the browser UI leaves HTML tags in place and can result in arbitrary code execution in Firefox before version 58.0.1.
CWE-79
CVE-2018-5143
URLs using “javascript:” have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the “javascript:” URL the protocol is not removed and the script will execute. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Firefox < 59.
CVE-2018-5071
Persistent XSS exists in the web server on Cobham Sea Tel 116 build 222429 satellite communication system devices: remote attackers can inject malicious JavaScript code using the device’s TELNET shell built-in commands, as demonstrated by the “set ship name” command. This is similar to a Cross Protocol Injection with SNMP.
CVE-2018-5072
Online Ticket Booking has XSS via the admin/sitesettings.php keyword parameter.
CVE-2018-5074
Online Ticket Booking has XSS via the admin/manageownerlist.php contact parameter.
CVE-2018-5075
Online Ticket Booking has XSS via the admin/snacks_edit.php snacks_name parameter.