DRUPAL-CONTRIB-2025-105

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/acquia_dam/DRUPAL-CONTRIB-2025-105.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-105

Aliases

Published

2025-09-03T16:15:48Z

Modified

2025-12-10T23:41:15.068148Z

Summary

[none]

Details

This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site.

The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only impacts sites where users having the “view media” permission accessing any DAM asset is undesirable.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://www.drupal.org/sa-contrib-2025-105

Credits

- Brandon Goodwin (bgoodie)
- - https://www.drupal.org/u/bgoodie
- Chris Burge (chris burge)
- - https://www.drupal.org/u/chris-burge
- Todd Woofenden (toddwoof)
- - https://www.drupal.org/u/toddwoof

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/acquia_dam

Package

Name: drupal/acquia_dam
Purl: pkg:composer/drupal/acquia_dam

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.1.5

Database specific

{
    "constraint": "<1.1.5"
}

Database specific

affected_versions

"<1.1.5"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/acquia_dam/DRUPAL-CONTRIB-2025-105.json"