[IT-SecNots] [Security-news] Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-105

Project: Acquia DAM [1]
Date: 2025-September-03
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass, Information Disclosure

Affected versions: <1.1.5
CVE IDs: CVE-2025-9954
Description: 
This module enables you to connect a Drupal site to the Acquia DAM service,
which syncs media from the third party service to the site.

The module doesn't sufficiently validate authorization to a list of DAM
assets currently synced to the website creating an access bypass
vulnerability.

This vulnerability is mitigated by the fact that it only impacts sites where
users having the “view media” permission accessing any DAM asset is
undesirable.

*CVSS risk score (experimental [3]) 6.9 / Medium*

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N [4]

Solution: 
Install the latest version which will automatically reset three views to have
permission-based access control based on the "access media overview"
permission. If you have modified the view access in some other way you will
need to redo that modification after upgrading the module.

 * If you use the acquia_dam module for Drupal 8.x, upgrade to acquia_dam
   1.1.5 [5]

Sites that cannot update to this code can mitigate the issue by modifying
three views to be restricted to that permission: Acquia DAM Asset Library,
Acquia DAM links, DAM Content Overview.

Reported By: 
 * Brandon Goodwin (bgoodie) [6]
 * Chris Burge (chris burge) [7]
 * Todd Woofenden (toddwoof) [8]

Fixed By: 
 * Chris Burge (chris burge) [9]
 * Damien McKenna (damienmckenna) [10] of the Drupal Security Team
 * Jakob P (japerry) [11]
 * Todd Woofenden (toddwoof) [12]

Coordinated By: 
 * cilefen  (cilefen) [13] of the Drupal Security Team
 * Greg Knaddison (greggles) [14] of the Drupal Security Team
 * Cathy Theys (yesct) [15] of the Drupal Security Team

------------------------------------------------------------------------------
Contribution record [16]

[1] https://www.drupal.org/project/acquia_dam
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/securitydrupalorg/issues/3442181
[4]  
https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
[5] https://www.drupal.org/project/acquia_dam/releases/1.1.5
[6] https://www.drupal.org/u/bgoodie
[7] https://www.drupal.org/u/chris-burge
[8] https://www.drupal.org/u/toddwoof
[9] https://www.drupal.org/u/chris-burge
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/u/japerry
[12] https://www.drupal.org/u/toddwoof
[13] https://www.drupal.org/u/cilefen
[14] https://www.drupal.org/u/greggles
[15] https://www.drupal.org/u/yesct
[16]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3544618

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news