It has been discovered that the extension "Dynamic Content Elements" (dce) is susceptible to Information Disclosure.
October 17, 2014
October 18, 2014 (added CVE)
Third party extension. This extension is not a part of the TYPO3 default installation.
all versions of 0.7.x, 0.8.x, 0.9.x, 0.10.x, 0.11.4 and below of 0.11.x
Suggested CVSS v2.0:
The extension provides a functionality to check for extension updates. Along with this functionality, installation environment data is automatically reported to the infrastructure of the extension author without user interaction.
Updated version 0.11.5 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/dce/0.11.5/t3x/
. The new extension version provides a configuration option to enable the described behaviour.
Credits go to Georg Ringer who discovered and reported the issue and Armin Vieweg who quickly responded & resolved this issue.
Follow the recommendations that are given in the TYPO3 Security Guide
. Please subscribe to the typo3-announce mailing list
to receive future Security Bulletins via E-mail.