zum Inhalt springen
back to overview print

Stored cross-site scripting vulnerability in the QWC2 registration GUI allows attackers to run arbitrary JavaScript code in the browser of other users

Open Source

NTCF:
NTCF-2025-7724

CVE:
CVE-2025-11184

Product:
qwc-registration-gui

Vendor:
qwc-services

Criticality:
medium

Status:
fixed

Discovered:
2025-07-23

Detail:
Public

Vulnerable version:
<2025.09.30

Fixed version:
2025.09.30

Summary

QGIS Web Client (QWC2) is a responsive web client for QGIS Server. QWC Registration GUI is an optional application form for QWC2, allowing users to submit group membership requests. It has been discovered that versions below v2025.09.30 are vulnerable to cross-site scripting.

Background

QGIS is a widely adopted, open‑source desktop geographic information system for creating, analyzing, and publishing geospatial data, while QWC2 (QGIS Web Client 2) is a modern, ReactJS & OpenLayers‑based web viewer that serves maps and services from QGIS Server to browsers.

In a pilot project with the NCSC, the NTC evaluated the security of QGIS Server and QWC2 to ensure the security of open source software used within the Swiss administration. Read more about the project here.

Vulnerability

There is a Cross-Site Scripting (XSS) in the registration module via registrable groups. This allows adversaries with editing capabilities for registrable groups to place arbitrary JavaScript code. This code will later be run when other users display the registration page.

The underlying issue lies in src/templates/registration.html file where user input is mistakenly marked as safe. The snippet below shows an example of this as of 765bc205df891368a314e1b35c6c8650d84b545b.

<tr class="{{ 'danger' if rg['member'] else 'active' }}">
  <td><b class="text-muted">{{ rg['title'] }}</b></td>
  <td>{{ rg['description'] | safe }}</td>
  <td><button type="button" class="btn btn-secondary" disabled>{{ utils.render_icon('hourglass') }} {{ "registration.pending" | i18n }}</button>
</tr>

The highlighted lines show an example for the vulnerable code pattern. User inputs are rendered without encoding or sanitization which enables HTML / JS injection and XSS. 

Proof of Concept

The vulnerability can be reproduced by following these steps:

  1. Ensure you are logged in with a user that has permission to make a registerable group
  2. Create a registrable group with the following description: <script>alert(document.domain)</script>
QWC2 Registration GUI XSS payload placement
  1. Navigate to http://[hostname]/registration/register
  2. An alert message with the domain name will pop up confirming the XSS vulnerability 
qwc registration GUI xss

Remediation

This vulnerability was reported to the QGIS security team and fixed in f26c420cdbf95bb427ad568cd2632d9b9a751212.  This patch modifies the HTML template to remove the "safe" filter, enforcing default escaping on user input to prevent XSS.

Patches

This issue has been fixed in version v2025.09.30. It is recommended that all users of the QWC2 registration GUI to update to the latest version.

Timeline

2025-06-05: private disclosure to vendor

2025-07-23: initial discovery

2025-07-31: Correction regarding the vulnerable field

2025-09-30: fix by vendor

2025-10-13: public disclosure