Muntrive

**Name of the Vulnerable Software and Affected Versions** Basecamp's google sign in gem versions prior to 1.3.1 **Description** The gem persists a URL for redirection after authentication. If this URL is set to a protocol-relative URL, it improperly passes the "same origin" check, potentially redirecting a user to another origin after authentication. This could result in exposure of authentication information if chained with other attacks that modify OAuth2 request parameters. Any Rails applications using the gem may be vulnerable if this vector can be chained with another attack. **Recommendations** Update to version 1.3.1 or later.

Name of the Vulnerable Software and Affected Versions: Basecamp Google Sign-In versions prior to 1.3.0 Description: A malformed URL can bypass the "same origin" check, potentially redirecting users to an unintended origin. This issue affects Rails applications using the library and storing flash information in a session cookie, which could be chained with an attack that allows arbitrary data injection into the session cookie. Recommendations: Basecamp Google Sign-In versions prior to 1.3.0: Upgrade to version 1.3.0 or later. Basecamp Google Sign-In versions prior to 1.3.0: If upgrading is not possible, explicitly set `SameSite=Lax` or `SameSite=Strict` on the application session cookie to mitigate the chained attack.