Advisories for Composer/T3/Dce package

2022

Exposure of Sensitive Information to an Unauthorized Actor

The default configuration in the Dynamic Content Elements (dce) extension before 0.11.5 for TYPO3 allows remote attackers to obtain sensitive installation environment information by reading the update check request.

2021

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account.