CVE-2017-12097
Description
An exploitable cross site scripting (XSS) vulnerability exists in the filter functionality of the delayed_job_web rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An XSS vulnerability in delayed_job_web gem 1.4's filter functionality allows arbitrary JavaScript execution via crafted URLs.
Vulnerability
The delayed_job_web gem version 1.4 contains a cross-site scripting (XSS) vulnerability in its filter functionality. The filter input is not properly escaped before being rendered in the web interface, allowing an attacker to inject arbitrary HTML/JavaScript via a specially crafted URL. This affects all installations using version 1.4 of the gem [1][2].
Exploitation
An attacker can craft a malicious URL containing JavaScript payloads in the filter parameter and phish an authenticated user into clicking the link. No additional authentication is required beyond the victim's existing session. The attacker does not need any special network position; the attack can be performed remotely via social engineering [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, data theft, or further actions within the delayed_job_web interface. The attacker gains the same privileges as the authenticated user [1][4].
Mitigation
The vulnerability is fixed in delayed_job_web commit 6bcb10e61ea2b9a44ffa16be8536dff46ad51449, which escapes the filter output [2]. Users should upgrade to a version containing this fix or apply the patch manually. No official release with the fix has been identified in the references; the advisory recommends using the patched code [4]. As of the publication date, no workaround other than upgrading is documented.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
delayed_job_webRubyGems | >= 1.2.9, < 1.4.2 | 1.4.2 |
Affected products
3- Range: = 1.4
- Talos/delayed_job_web rails gemv5Range: delayed\_job\_web 1.4
Patches
16bcb10e61ea2Fixes #101: Add escape for CVE-2017-12097
1 file changed · +1 −1
lib/delayed_job_web/application/app.rb+1 −1 modified@@ -45,7 +45,7 @@ def per_page def url_path(*path_parts) url = [ path_prefix, path_parts ].join("/").squeeze('/') - url += "?queues=#{@queues.join(",")}" unless @queues.empty? + url += "?queues=#{CGI.escape(@queues.join(","))}" unless @queues.empty? url end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-w7q9-xr2x-wh7xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-12097ghsaADVISORY
- www.securityfocus.com/bid/102484mitrevdb-entryx_refsource_BID
- github.com/ejschmitt/delayed_job_web/commit/6bcb10e61ea2b9a44ffa16be8536dff46ad51449ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/delayed_job_web/CVE-2017-12097.ymlghsaWEB
- rubygems.org/gems/delayed_job_web/versions/1.4ghsaWEB
- web.archive.org/web/20200227132840/http://www.securityfocus.com/bid/102484ghsaWEB
- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0449ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.