- Masquerade module versions prior to 1.x-1.0.1.
The Masquerade module allows people to temporarily switch to another user account.
The module provides a "Masquerade as admin" permission to restrict people who can masquerade from switching to an account with administrative privileges. This permission is not always honored and may allow non-administrative users to masquerade as an administrator.
This vulnerability is mitigated by the fact that an attacker must have a role with the "Masquerade as user" permission.
Upgrade your site to the most recent version of Masquerade module. Download available on the Masquerade releases page.
- Jen Lampton of the Backdrop CMS Security Team