CVE-2025-11184 is a cross-site scripting (XSS) vulnerability classified under CWE-79 that affects the qwc-registration-gui component of the QGIS QWC2 suite, specifically versions up to 2025.03.31. This vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing an authorized attacker to inject arbitrary JavaScript code into the application’s web interface. The vulnerability requires the attacker to have authorized access to the system, but no elevated privileges beyond that, and some user interaction is necessary for exploitation. The injected script can execute in the context of other users’ browsers who access the affected pages, potentially enabling session hijacking, theft of sensitive information, or unauthorized actions performed with the victim’s privileges. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H means high privileges required, but the description says authorized attacker, so this is consistent), user interaction required (UI:P), and high impact on confidentiality (VC:H) with limited impact on integrity (VI:L). There are no known exploits in the wild yet, and no patches have been linked at the time of publication. The vulnerability is particularly relevant to organizations using QGIS QWC2 Registration GUI for geographic information system (GIS) services, which are common in government, urban planning, and environmental monitoring sectors. The improper input handling suggests a need for improved input validation and output encoding in the affected component to prevent script injection.

For European organizations, especially those involved in GIS services, urban planning, environmental monitoring, and public sector infrastructure, this vulnerability poses a risk of unauthorized script execution within their web applications. Successful exploitation could lead to session hijacking, unauthorized data access, or manipulation of user actions, potentially compromising sensitive geographic or personal data. This could undermine trust in public services and lead to regulatory non-compliance under GDPR if personal data is exposed. The requirement for authorized access limits the attack surface but does not eliminate risk, as insider threats or compromised credentials could be leveraged. The impact on availability is minimal, but confidentiality and integrity impacts are significant, particularly in environments where QGIS QWC2 is integrated with other critical systems. The vulnerability could also be used as a foothold for further attacks within an organization’s network.

1. Implement strict input validation and output encoding within the qwc-registration-gui to neutralize potentially malicious input before rendering it in web pages. 2. Restrict access to the registration GUI to trusted users and networks, employing network segmentation and access control lists. 3. Enforce strong authentication mechanisms and monitor for unusual access patterns to detect potential insider threats or compromised accounts. 4. Deploy Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 5. Regularly update and patch the QGIS QWC2 suite as vendor patches become available. 6. Conduct security code reviews and penetration testing focused on input handling in web components. 7. Educate users about phishing and social engineering to reduce the risk of credential compromise. 8. Monitor logs for suspicious activity related to the registration GUI and implement anomaly detection.