Within server.php, the SQL injections start on Line 82. The malicious inputs pass through an easily bypassed method, undomq. Then the tainted input is executed on Line 90 and / or Line 92.
In addition, I noticed an extremely unsafe function, mysql_escape_string (class.SQLPaging.php: Line 142) used. It would be wise to use something much more robust.
I am not going to comment on "...Not accessible from anywhere else than localhost...." It isn't clear to me they understand the impact of the vulnerability and user's installation practices. Thankfully, Scalr's development team understands risk reduction by defaulting the listener to only localhost.
Scorch earth solution. There were plans to remove the offending source code from the project prior to my notification. Win / win solution. When they remove the obsolete code, the vulnerabilities will cease to exist.