CVE-2025-27822

An issue was discovered in the Masquerade module before 1.x-1.0.1 for Backdrop CMS. It allows people to temporarily switch to another user account. The module provides a "Masquerade as admin" permission to restrict people (who can masquerade) from switching to an account with administrative privileges. This permission is not always honored and may allow non-administrative users to masquerade as an administrator. This vulnerability is mitigated by the fact that an attacker must have a role with the "Masquerade as user" permission.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://backdropcms.org/security/backdrop-sa-contrib-2025-006

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Se descubrió un problema en el módulo Masquerade antes de la versión 1.x-1.0.1 para Background CMS. Permite que las personas cambien temporalmente a otra cuenta de usuario. El módulo proporciona un permiso "Hacerse pasar por administrador" para impedir que las personas (que pueden hacerse pasar por administrador) cambien a una cuenta con privilegios administrativos. Este permiso no siempre se respeta y puede permitir que usuarios no administrativos se hagan pasar por administradores. Esta vulnerabilidad se mitiga por el hecho de que un atacante debe tener un rol con el permiso "Hacerse pasar por usuario".

07 Mar 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-07 22:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-27822

Mitre link : CVE-2025-27822

CVE.ORG link : CVE-2025-27822

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

7.5 /10