(*---) Log in.(*---) Provoke an XSS attack on a specific page.(*---) Give a feedback comment on the behalf of someone else.(*---) Enter a reimbursement request with an invalid IBAN.
(**--) Provoke an XSS attack that triggers a new reimbursement request.(**--) Log in as someone else without using the login screen.(**--) Check other people’s holidays.
(***-) Delete a profile picture.(***-) Provoke an XSS attack on any page.
(****) Leak the database schema.(****) Leak any database table.(****) Log in as an administrator.(****) Retrieve a user’s password.(****) Read ELEFAN’s config remotely.