Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105

Vulnerability

Overview

The Acquia DAM module for Drupal, which synchronizes media from the Acquia DAM service to a Drupal site, contains a missing authorization vulnerability [1]. The module does not sufficiently validate a user's authorization when listing DAM assets that have been synced to the website, leading to an access bypass issue [2]. This flaw affects all versions of the module before 1.1.5.

Exploitation

Details

The vulnerability can be exploited by any user who has the "view media" permission, even if they should not have access to specific DAM assets [2]. The attack vector is network-based, requires no privileges, and no user interaction, making it relatively easy to exploit [2]. The issue specifically impacts the views that list DAM assets, including the Acquia DAM Asset Library, Acquia DAM links, and DAM Content Overview views [2].

Impact

Successful exploitation allows an attacker to forcefully browse and access DAM assets that should be restricted, leading to unauthorized information disclosure [1][2]. The CVSS score for this vulnerability is 6.9 (Medium), with the primary impact being on confidentiality [2].

Mitigation

The vendor has released version 1.1.5 of the Acquia DAM module, which fixes the vulnerability by adding permission-based access control to the affected views [2]. Users are strongly advised to upgrade to this version. For sites that cannot immediately update, a workaround exists: manually modify the three affected views to restrict access to the "access media overview" permission [2].