$_GET['tab'] is not escaped.
So if user has at least one not dismissed notice, we have reflected XSS.
Similar bug exists inside hints.
Proof of Concept:
- 26-10-2015: Discovered
- 26-10-2015: Vendor notified
- 29-10-2015: Version 220.127.116.11 released, issue resolved