The oelib (aka One is Enough Library) extension up to and including 4.1.5 for TYPO3 allows SQL Injection.
oliverklee oelib