CVE-2025-11184 is a cross-site scripting (XSS) vulnerability identified in the qwc-registration-gui component of the qwc-services project, specifically affecting versions up to 2025.03.31. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an attacker with authorized access and high privileges to inject arbitrary JavaScript code into the web interface. The injected script executes in the context of the victim's browser, potentially leading to session hijacking, unauthorized actions, or data theft. The vulnerability does not require network-level authentication but does require the attacker to have elevated privileges within the system, and some user interaction is necessary to trigger the malicious script. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H means high privileges required, so this is a discrepancy; assuming PR:H means privileges required), user interaction required (UI:P), high impact on confidentiality (VC:H), low impact on integrity (VI:L), no impact on availability (VA:N), and no scope change (SC:N). No public exploits are known at this time, but the vulnerability is published and should be addressed promptly. The qwc-registration-gui is part of QGIS's web client services used for geospatial data registration and management, often deployed in governmental and environmental agencies.

For European organizations, especially those involved in geospatial data management, environmental monitoring, urban planning, and governmental services, this vulnerability poses a risk of unauthorized script execution within the registration GUI. Successful exploitation could lead to session hijacking, unauthorized data manipulation, or disclosure of sensitive geospatial information. This could undermine trust in public services, lead to data integrity issues, and potentially expose personal or critical infrastructure data. Since the vulnerability requires high privileges, the threat is more relevant to insider threats or attackers who have already compromised internal accounts. The impact on confidentiality is high, while integrity impact is low and availability is unaffected. The absence of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks. Organizations relying on QGIS QWC2 Registration GUI should consider this vulnerability a significant risk to their web application security posture.

1. Apply patches or updates from the qwc-services project as soon as they become available to address CVE-2025-11184. 2. Implement strict input validation and output encoding on all user-supplied data within the qwc-registration-gui to prevent script injection. 3. Restrict access to the registration GUI to only trusted and necessary personnel, enforcing the principle of least privilege. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 5. Conduct regular security audits and code reviews focusing on input handling in web interfaces. 6. Monitor logs for unusual activities or attempts to inject scripts. 7. Educate authorized users about the risks of interacting with suspicious content or links within the application. 8. Consider network segmentation to isolate the registration GUI from broader enterprise networks to limit lateral movement if exploited.