CVE-2021-28680: 
Ruby vulnerability analysis and mitigation

The devise_masquerade gem before version 1.3 contains a security vulnerability (CVE-2021-28680) that affects applications using this gem to allow administrators to masquerade/impersonate users. The vulnerability reduces security protection compared to using Devise without this extension. The issue was discovered in December 2020 and fixed in version 1.3.1 (Devise Blog).

The vulnerability occurs when the server-side secretkeybase value becomes publicly known. In a standard Devise implementation, an attacker would still need to know a user's password salt to impersonate them. However, with devisemasquerade, an attacker can bypass this requirement by manipulating the session cookie and pretending that a user is already masqueraded by an administrator. This is done by adding and setting the devisemasqueradeuser key to the admin's user ID in the session cookie JSON/Marshal object (Devise Blog, [GitHub Issue](https://github.com/oivoodoo/devisemasquerade/issues/83)).

If an attacker obtains the secretkeybase value (for example, if it is accidentally committed to a public repository), they can impersonate any user on the system by manipulating session cookies, even without knowing the target user's password salt. This significantly reduces the security of the authentication system (Devise Blog).

The vulnerability was fixed in devisemasquerade version 1.3.1 by removing the masquerade back data from the session cookie and storing it in the server's cache instead. Users should upgrade to version 1.3.1 or later to address this security issue ([GitHub Issue](https://github.com/oivoodoo/devisemasquerade/issues/83)).