zum Inhalt springen
back to overview print

Stored cross-site scripting vulnerability in QGIS Web Client (QWC2) allows attackers to run arbitrary JavaScript code in the browser of other users

Open Source

NTCF:
NTCF-2025-4286

CVE:
CVE-2025-11183

Product:
qwc2

Vendor:
QGIS

Criticality:
medium

Status:
fixed

Discovered:
2025-07-23

Detail:
Public

Vulnerable version:
<2025.08.14

Fixed version:
2025.08.14

Summary

QGIS Web Client (QWC2) is a responsive web client for QGIS Server, built with ReactJS and OpenLayers. It has been discovered that versions below v2025.08.14 are vulnerable to cross-site scripting.

Background

QGIS is a widely adopted, open‑source desktop geographic information system for creating, analyzing, and publishing geospatial data, while QWC2 (QGIS Web Client 2) is a modern, React & OpenLayers‑based web viewer that serves maps and services from QGIS Server to browsers.

In a pilot project with the NCSC, the NTC evaluated the security of QGIS Server and QWC2 to ensure the security of open source software used within the Swiss administration. Read more about the project here.

Vulnerability

Among others, the attribute table is vulnerable to XSS via the name or description fields. This allows adversaries with editing capabilities of an attribute layer to place arbitrary JavaScript code. This code will later be run when other users display the attribute layer.

The snippet below shows part of the code in components/LayerInfoWindow.jsx as of ea573ea9094bc82cda0aa528023603f1e06799b3, which is before the vulnerability was fixed:

return (
    <tr>
        <td>{title}:</td>
        {html ? (
            <td dangerouslySetInnerHTML={{__html: MiscUtils.addLinkAnchors(content)}} />
        ) : (<td>{content}</td>)}
    </tr>
);

The highlighted lines show an example for the vulnerable code pattern. User inputs are rendered without encoding which enables HTML / JS injection and XSS. 

This could be used to deface the website or steal the session of other users for example.

Proof of Concept

The vulnerability can be reproduced by following these steps:

  1. Ensure you are logged in with a user that has edit permissions for the present attributes in the attributes table (Lines, Points and Polygons, etc).
  2. Open the editing dialog via Burger Menu (top right) > Map Tools > Editing
  3. Draw an arbitrary line (double click to finish the line)
  4. Open the attribute table by clicking the table button in the editing dialog
  5. Edit the Name (or Description) of the line to this value: <img src="x" onerror="alert(123)">
  6. An alert message with the text 123 will pop up confirming the XSS vulnerability 
Cross-Site Scripting vulnerability in QWC2

Remediation

This vulnerability was reported to the QGIS security team and fixed in 764fa4e5f78115d11459d9e1221cf3d39ab3b04c.  This patch introduces sanitization using DOMPurify for untrusted input set as innerHTML.

Patches

This issue has been fixed in version v2025.08.14. It is recommended that all users of QWC2 to update to the latest version.

Timeline

2025-06-05: private disclosure to vendor

2025-07-23: initial discovery

2025-08-14: fix by vendor

2025-10-13: public disclosure