The seminars (aka Seminar Manager) extension up to and including 4.1.3 for TYPO3 allows SQL Injection.
oliverklee seminars