phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable).
sugarcrm sugarcrm 3.5.1