my name is Egidio Romano (aka EgiX) and I'm a freelance web application security researcher.
I found a critical security vulnerability in SugarCRM CE, but I think that affects also other editions.
I tested and successfully exploited these versions:
This vulnerability allows authenticated users to delete or overwrite arbitrary files owned by the webserver,
and this could lead also to execution of arbitrary PHP code, so a full system compromise would be possible.
According to SugarCRM Security Policy I've notified this vulnerability to email@example.com two times:
the first on 5th November 2011 and the second on 19th November 2011, but still no response received!!
Please feel free to contact me privately for coordinating a responsible disclosure.