I have enough experience on SugarCRM ranging from development to integration solutions. This week I spent some time on the security of SugarCRM, I discovered a security bug that I consider very seriously: You can create blank records for each module. Just run an HTTP request with a URL like this: index.php?action=Save&module=Leads&record=&return_module=Leads&return_action=detailview
With web based applications you can resolve these issues (XSS, SQL injection, etc) without direct action on the application code, adopt a security solution using ModSecurity (http://www.modsecurity.org/).
The version of SugarCRM where I found the problem is the 6.1 (Community, Professional and Enterprise).
SugarCRM’s open the bug on SugarCRM Bug Tracker #43159 (http://www.sugarcrm.com/crm/support/bugs.html?bug_number=43159).
Bye,
Antonio Musarra.
Antonio Musarra's Blog 
Hi Antonio,
thank you for sharing this.
I’ve just seen that vtiger CRM (originally a Sugar CRM fork) still suffers from the very same bug.
I’ve opened it on their trac. http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7059
Ciao
carloz