Mottini Mauro

**Name of the Vulnerable Software and Affected Versions** clearance versions prior to 2.5.0 **Description** The issue arises when users can set the value of `session[:return to]`. If the value used for `return to` contains multiple leading slashes (e.g., `/////example.com`), the user is redirected to the external domain that comes after the slashes (e.g., `http://example.com`). **Recommendations** For versions prior to 2.5.0, consider updating to version 2.5.0 or later to resolve the issue. As a temporary workaround, restrict the ability of users to set the value of `session[:return to]` or validate and sanitize the `return to` value to prevent redirection to external domains.