CVE-2025-11183: 
JavaScript vulnerability analysis and mitigation

CVE-2025-11183 is a Cross-Site Scripting (XSS) vulnerability discovered in QGIS Web Client (QWC2), a responsive web client for QGIS Server built with ReactJS and OpenLayers. The vulnerability was discovered on July 23, 2025, and affects versions prior to 2025.08.14. This security flaw allows authorized attackers to inject arbitrary JavaScript code into the attribute table, which subsequently executes in other users' browsers (Swiss Hub).

The vulnerability exists in the attribute table functionality, specifically in the name and description fields. The issue stems from components/LayerInfoWindow.jsx where user inputs are rendered without proper encoding, enabling HTML/JS injection. The vulnerability has been assigned a CVSS 4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/RE:L. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (Swiss Hub, NVD).

When exploited, this vulnerability allows attackers with editing capabilities to inject malicious JavaScript code through the attribute layer. When other users display the affected attribute layer, the injected code executes in their browsers. This could potentially lead to website defacement or session theft of other users (Swiss Hub).

The vulnerability has been fixed in version 2025.08.14 through patch 764fa4e5f78115d11459d9e1221cf3d39ab3b04c, which implements sanitization using DOMPurify for untrusted input set as innerHTML. Users are strongly recommended to upgrade to this version or later to address the vulnerability (Swiss Hub).