phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable).

SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php.

SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.