A few weeks ago I wrote about SugarCRM demanding that companies using it identify the product on user screens.
The company was demanding credit from its installers, I wrote, and threatening to turn sites using open source into the equivalent of NASCAR cars.
But it turns out there is a flip side to that story.
Secunia has reported a cross-scripting vulnerability in older versions of SugarCRM that could let crooks take control of sites. This is in versions prior to Version 4.5.
The badges Sugar has been insisting on would allow crooks to easily identify targets for attack. And all this could leave Sugar vulnerable to legal attack from its clients.
If you insist on taking credit, you also get the blame. I wonder how they like their "stinking badges" now?