CVE-2014-8328: 
PHP vulnerability analysis and mitigation

The Dynamic Content Elements (dce) extension before version 0.11.5 for TYPO3 contained an Information Disclosure vulnerability identified as CVE-2014-8328. The vulnerability was discovered and disclosed on October 17, 2014. This security issue affected all versions of 0.7.x, 0.8.x, 0.9.x, 0.10.x, 0.11.4 and below of 0.11.x of the DCE extension (TYPO3 Advisory).

The vulnerability allowed remote attackers to obtain sensitive installation environment information by reading the update check request. The issue was rated as Low severity with a CVSS v2.0 base score of 5.0 (MEDIUM) with vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N). The extension's functionality to check for updates automatically reported installation environment data to the extension author's infrastructure without user interaction (TYPO3 Advisory).

The vulnerability exposed sensitive installation environment information to potential attackers through the extension's update check functionality. This information disclosure could potentially be used by attackers to gather intelligence about the system configuration (TYPO3 Advisory).

The vulnerability was fixed in version 0.11.5 of the DCE extension. The updated version provided a configuration option to enable the update check behavior, making it opt-in rather than default. Users were advised to update to version 0.11.5 or later to resolve the security issue (TYPO3 Advisory).

The vulnerability was discovered and reported by Georg Ringer, and the extension author Armin Vieweg quickly responded and resolved the issue (TYPO3 Advisory).