Hi,
I found this issues in ZurmoCRM. All issues are reported in their github.
1.- Html Injection
If you create a Product, list, etc. with this name: <h1>injection</h1>Imágenes integradas 1
When you go to preview page (in this case products), you can see the injection: Imágenes integradas 2
2.- Information Disclosure
When you put %00 in moduleClassName you can see the full path of the installation of ZurmoCRM: /index.php/designer/default/modulesMenu?moduleClassName=%00
3.- XSS
When you create a list in the "check list" field you can insert a XSS code:
index.php/tasks/default/list#
All issues are reported:
https://github.com/zurmo/Zurmo/issues
Regards.