Name of the Vulnerable Software and Affected Versions:

Basecamp Google Sign-In versions prior to 1.3.0

Description:

A malformed URL can bypass the "same origin" check, potentially redirecting users to an unintended origin. This issue affects Rails applications using the library and storing flash information in a session cookie, which could be chained with an attack that allows arbitrary data injection into the session cookie.

Recommendations:

Basecamp Google Sign-In versions prior to 1.3.0: Upgrade to version 1.3.0 or later.

Basecamp Google Sign-In versions prior to 1.3.0: If upgrading is not possible, explicitly set `SameSite=Lax` or `SameSite=Strict` on the application session cookie to mitigate the chained attack.