It can't be SQL injections in csrf_token because all MySQL queries related to CSRF are written using prepared statements. 

If you can show how to reproduce the issue via private message and please specify what version of UNA you are using, we'll investigate it more carefully and make an urgent fix.