I just got a confirmation from another user which reported that API links could be used under some circumstances to make SQL injections.
All versions below 3.5 are affected and upgrade to v3.5 is therefore strongly advised!
