Home

Description

Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 <2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in the page

PUBLISHED Reserved 2025-09-30 | Published 2025-10-13 | Updated 2025-10-14 | Assigner NCSC.ch




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/RE:L

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unaffected

Any version before 2025.08.14
affected

2025.08.14
unaffected

Credits

Swiss National Test Institute for Cybersecurity NTC finder

Swiss National Cybersecurity Centre coordinator

Sandro Mani remediation developer

References

hub.ntc.swiss/ntcf-2025-4286 technical-description

cve.org (CVE-2025-11183)

nvd.nist.gov (CVE-2025-11183)

Download JSON