Spina’s admin screen has an embedded XSS in the title of the page.
By embedding arbitrary JavaScript code in the function of Paguri, arbitrary scripts can be executed on the browser when the administrator user who accessed the page deletes the page.
Step 1. Access the admin screen and open a new page.
Step 2. Specify the following Payload in the title of the page and save it.
Step 3. Any embedded script (alert) will be executed on the confirmation screen when deleting a saved page.
'"><img src>
page[en_content_attributes][0][title]
Users who can log in to the administrator screen and edit pages
https://drive.google.com/file/d/1daQkxox9Y_U4pveMv24daeWUfA9u_vte/view?usp=sharing