Primary

Context

Backdrop CMS Masquerade Module Access Bypass Vulnerability

Vulnerability

Patched

A critical access bypass vulnerability has been identified in the Masquerade module for Backdrop CMS, affecting versions prior to 1.x-1.0.1. This vulnerability allows users to temporarily switch to another user account, potentially masquerading as an administrator. The issue arises because the module's permission to restrict non-administrative users from accessing admin accounts is not consistently enforced. To exploit this vulnerability, an attacker must have a role that includes the 'Masquerade as user' permission.

Impact

Exploitation of this vulnerability could allow non-administrative users to gain unauthorized access to administrator accounts, bypassing the intended permission restrictions of the Masquerade module.

Remediation

Users are advised to upgrade to the latest version of the Masquerade module. The updated version can be downloaded from the Masquerade releases page.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Backdrop CMS Masquerade Module Access Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Backdrop CMS Masquerade

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating