VYPR
← All advisories
Low severityNVD Advisory· Published Jun 28, 2023· Updated Nov 6, 2024

Cross-site Scripting (XSS) - Stored in spinacms/spina

CVE-2023-3445

Description

Cross-site Scripting (XSS) - Stored in GitHub repository spinacms/spina prior to 2.15.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Spina CMS allows authenticated users with page editing permissions to inject arbitrary JavaScript via unsanitized page titles.

Vulnerability

Description

CVE-2023-3445 is a stored cross-site scripting (XSS) vulnerability in Spina CMS, a Ruby on Rails content management system. The root cause is insufficient sanitization of the page title attribute when displayed in the admin interface's delete confirmation dialog. The commit that fixes the issue [4] shows the vulnerability originates in the view where @page.title is directly interpolated into a JavaScript-enabled context without sanitization. Specifically, the confirm_message parameter of the delete button form data was rendering the raw page title, allowing an attacker to inject malicious HTML or JavaScript.

Exploitation

An authenticated user with permission to create or edit pages can exploit this vulnerability. By setting a page title to a malicious payload (e.g., ``), the payload becomes stored in the database. When any administrator (including those with higher privileges) visits the page listing or uses the delete functionality, the unsanitized title is rendered in the confirmation dialog, executing the injected script in the context of the admin's browser session [1]. No additional user interaction beyond viewing the affected page list is required.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated administrator's session within the Spina admin panel. This could lead to session hijacking, defacement of administrative content, theft of sensitive tokens or cookies, and potentially privilege escalation by performing actions on behalf of the victim administrator. Since the vulnerability is stored, the payload persists and can affect multiple users over time, increasing its severity.

Mitigation

The vulnerability was addressed in Spina version 2.15.1 by sanitizing the page title using Rails' sanitize helper before passing it to the confirmation dialog [1][4]. Users are strongly advised to upgrade to version 2.15.1 or later. No workarounds are publicly documented; patching is the recommended course of action. The fix was released on June 28, 2023, and the vulnerability has been publicly disclosed [1][2].

References
  1. NVD - CVE-2023-3445
  2. ruby-advisory-db/gems/spina/CVE-2023-3445.yml at master · rubysec/ruby-advisory-db
  3. Sanitiez title (#1258) · SpinaCMS/Spina@9adfe7b

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
spinaRubyGems
< 2.15.12.15.1

Affected products

2
  • ghsa-coords
    pkg:gem/spina
    Range: < 2.15.1
  • spinacms/spinacms/spinav5
    Range: unspecified

Patches

1
9adfe7b4807b

Sanitiez title (#1258)

https://github.com/spinacms/spinaBram JettenJun 28, 2023via ghsa
commit
1 file changed · +1 1
  • app/components/spina/pages/actions_component.html.erb+1 1 modified
    @@ -40,7 +40,7 @@
         <% end %>
         
         <% if @page.deletable? %>
-          <%= button_to t('spina.pages.delete'), helpers.spina.admin_page_path(@page), method: :delete, class: "block w-full text-left px-4 py-2 text-sm leading-5 font-medium text-red-500 cursor-pointer bg-white hover:bg-red-100 hover:bg-opacity-50 hover:text-red-500 focus:outline-none focus:bg-gray-100 focus:text-gray-900", form: {data: {controller: "confirm", confirm_message: t('spina.pages.delete_confirmation', subject: @page.title)}} %>
+          <%= button_to t('spina.pages.delete'), helpers.spina.admin_page_path(@page), method: :delete, class: "block w-full text-left px-4 py-2 text-sm leading-5 font-medium text-red-500 cursor-pointer bg-white hover:bg-red-100 hover:bg-opacity-50 hover:text-red-500 focus:outline-none focus:bg-gray-100 focus:text-gray-900", form: {data: {controller: "confirm", confirm_message: t('spina.pages.delete_confirmation', subject: sanitize(@page.title))}} %>
         <% else %>
           <span class="block px-4 py-2 text-sm leading-5 text-gray-400"><%=t 'spina.pages.cannot_be_deleted' %></span>
         <% end %>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.