CVE-2025-11183
BaseFortify
Publication date: 2025-10-13
Last updated on: 2025-10-14
Assigner: Switzerland Government Common Vulnerability Program
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qgis | qgis_web_client | 2025.08.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11183 is a stored cross-site scripting (XSS) vulnerability in QGIS Web Client (QWC2) versions prior to 2025.08.14. It occurs because user inputs in the attribute table, specifically in the 'name' or 'description' fields of attribute layers, are rendered without proper encoding or sanitization. This allows an authorized attacker with editing permissions to inject arbitrary JavaScript code that executes in the browsers of other users viewing the attribute layer. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with editing permissions to inject malicious JavaScript code into the attribute table. When other users view the affected attribute layer, the injected code executes in their browsers, potentially leading to website defacement, session theft, or other malicious actions performed in the context of the victim's browser session. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if user inputs in the attribute table's 'name' or 'description' fields are rendered without proper sanitization, allowing JavaScript injection. A practical test is to insert a payload such as `<img src="x" onerror="alert(123)">` into these fields with an authorized user account and then observe if the alert triggers when viewing the attribute layer. There are no specific network commands provided, but manual testing within the QGIS QWC2 interface using this payload can confirm the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update QGIS QWC2 to version v2025.08.14 or later, where the vulnerability is fixed by introducing input sanitization using DOMPurify before rendering user inputs. Until the update is applied, restrict editing permissions to trusted users only to reduce the risk of malicious JavaScript injection. [1]