The Newsletter extension up to and including 4.0.0 for TYPO3 allows SQL Injection.
newsletter project newsletter