We have run Nessus scans on our Sugar CRM 6.5 Community Edition instance and the report has found the following potential vulnerability that needs to be checked if it is a positive or not. This seems to be spesific to index.php not protected by a random token.
More details from the Nessus report include:
The spider found HTML forms on the remote web server. Some CGI scripts do not appear to be protected by random tokens, a common anti-cross-site request forgery (CSRF) protection. The following CGIs are not protected by a random token: /index.php The web application might be vulnerable to CSRF attacks. Please can someone indicate how Sugar provides protection against CSRF attacks. I need to qualify with certainty that this is in fact a false positive or not.