Miggo Logo
Miggo Vulnerability Database
CVE-2025-9954

CVE-2025-9954: Drupal Acquia DAM allows Forceful Browsing

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-9954
GHSA ID
GHSA-x957-32v9-m7vg
EPSS Score
0.08111%
CWE
CWE-862
Published
10/30/2025
Updated
10/30/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/acquia_damcomposer< 1.1.51.1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

I am unable to provide a complete analysis for this vulnerability. The available information does not contain a link to the source code repository or the specific commits that patch the vulnerability. Without access to the patch, it is not possible to definitively identify the vulnerable functions.

The security advisory at https://www.drupal.org/sa-contrib-2025-105 indicates that the vulnerability is a missing authorization issue in three views: "Acquia DAM Asset Library", "Acquia DAM links", and "DAM Content Overview". The fix involves adding permission-based access control to these views. This suggests that the vulnerability is in the configuration of these views, rather than in a specific PHP function.

However, without the actual patch, I cannot confirm this or identify the exact code that was changed. The repository acquia/acquia-dam-drupal mentioned in the initial investigation does not exist.

Therefore, I am returning an empty result.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Missin* *ut*oriz*tion vuln*r**ility in *rup*l **qui* **M *llows *or***ul *rowsin*. T*is issu* *****ts **qui* **M: *rom *.*.* ***or* *.*.*.

Reasoning

I *m un**l* to provi** * *ompl*t* *n*lysis *or t*is vuln*r**ility. T** *v*il**l* in*orm*tion *o*s not *ont*in * link to t** sour** *o** r*pository or t** sp**i*i* *ommits t**t p*t** t** vuln*r**ility. Wit*out ****ss to t** p*t**, it is not possi*l* t