Executive Summary

CVE-2025-11183 is a stored cross-site scripting (XSS) vulnerability in QGIS Web Client (QWC2) versions prior to 2025.08.14. It occurs because user inputs in the attribute table, specifically in the 'name' or 'description' fields of attribute layers, are rendered without proper encoding or sanitization. This allows an authorized attacker with editing permissions to inject arbitrary JavaScript code that executes in the browsers of other users viewing the attribute layer. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with editing permissions to inject malicious JavaScript code into the attribute table. When other users view the affected attribute layer, the injected code executes in their browsers, potentially leading to website defacement, session theft, or other malicious actions performed in the context of the victim's browser session. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if user inputs in the attribute table's 'name' or 'description' fields are rendered without proper sanitization, allowing JavaScript injection. A practical test is to insert a payload such as `<img src="x" onerror="alert(123)">` into these fields with an authorized user account and then observe if the alert triggers when viewing the attribute layer. There are no specific network commands provided, but manual testing within the QGIS QWC2 interface using this payload can confirm the vulnerability. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update QGIS QWC2 to version v2025.08.14 or later, where the vulnerability is fixed by introducing input sanitization using DOMPurify before rendering user inputs. Until the update is applied, restrict editing permissions to trusted users only to reduce the risk of malicious JavaScript injection. [1]

Useful 0 Not Useful 0