CVE-2025-27822

CVE-2025-27822 is a vulnerability in the Masquerade module for Backdrop CMS, affecting versions prior to 1.x-1.0.1. The issue stems from the module's failure to properly honor the "Masquerade as admin" permission, which is intended to prevent non-administrative users from switching to accounts with administrative privileges. This allows authorized users to temporarily impersonate other accounts, including administrators, and is classified as CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker must possess a role with the "Masquerade as user" permission to exploit this flaw, requiring low privileges (PR:L). The attack is feasible over the network (AV:N) without user interaction (UI:N), though it demands high attack complexity (AC:H). Successful exploitation enables the attacker to masquerade as an administrator, granting temporary access to elevated privileges and potentially compromising confidentiality, integrity, and availability at a high level (C:H/I:H/A:H).

The Backdrop CMS security advisory (backdrop-sa-contrib-2025-006) at https://backdropcms.org/security/backdrop-sa-contrib-2025-006 addresses this vulnerability, noting that updating to Masquerade module version 1.x-1.0.1 or later resolves the issue. The advisory highlights the prerequisite of the "Masquerade as user" permission as a partial mitigator.