A problem has been discovered where the internal form engine can be used for sending arbitrary mail headers, using it for purposes which it is not meant for.

More... (http://news.typo3.org/news/article/typo3-security-bulletin-typo3-20070221-1-email-header-injection/)