Stephen Maiorana

**Name of the Vulnerable Software and Affected Versions** Backdrop CMS Masquerade module versions prior to 1.x-1.0.1 **Description** An issue in the Masquerade module allows users to temporarily switch to another user account, potentially bypassing the "Masquerade as admin" permission. This permission is intended to restrict non-administrative users from switching to an account with administrative privileges. However, it is not always honored, which may allow non-administrative users to masquerade as an administrator. The vulnerability is mitigated by the requirement that an attacker must have a role with the `Masquerade as user` permission. **Recommendations** For Backdrop CMS Masquerade module versions prior to 1.x-1.0.1, update to version 1.x-1.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the `Masquerade as user` permission to trusted roles only, to minimize the risk of exploitation.