Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-September-03
Vulnerability:
Access bypass, Information Disclosure
Affected versions:
<1.1.5
CVE IDs:
CVE-2025-9954
Description:
This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site.
The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability.
This vulnerability is mitigated by the fact that it only impacts sites where users having the “view media” permission accessing any DAM asset is undesirable.
CVSS risk score (experimental) 6.9 / Medium
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Solution:
Install the latest version which will automatically reset three views to have permission-based access control based on the "access media overview" permission. If you have modified the view access in some other way you will need to redo that modification after upgrading the module.
- If you use the acquia_dam module for Drupal 8.x, upgrade to acquia_dam 1.1.5
Sites that cannot update to this code can mitigate the issue by modifying three views to be restricted to that permission: Acquia DAM Asset Library, Acquia DAM links, DAM Content Overview.
Fixed By:
- Chris Burge (chris burge)
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Jakob P (japerry)
- Todd Woofenden (toddwoof)
Coordinated By:
- cilefen (cilefen) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Cathy Theys (yesct) of the Drupal Security Team
