Parameters being transferred per $_GET aren't sanitised properly.
Everyone can read any comment and its poster, although it should be
readable only for superiors
You can see, which supervisor the task was forwarded to and their UniqueIDs
Anyways, everything is acting really strange if you try to test something.
Out of 10 tries, u get
8x All information you want to get
1x a weird name instead of the real one
1x a Errorpage like 404, "session timed out", blank site,...
For all these tests it is not necessary to be logged in.
There might be a lot more bugs, but I can't look for them on a live system :(