An unauthenticated user can inject malicious JavaScript via the booking form, specifically in the new user details. The XSS payload is then executed when an authenticated administrator user views the booking on the booking-list and cust-lookup pages.
Inject XSS via most fields in the booking form, which will then be executed on the booking-list and cust-lookup admin pages, when viewed by an authenticated administrator.