QGIS QWC2 Cross-Site Scripting Vulnerability in Attribute Table

A cross-site scripting (XSS) vulnerability has been identified in QGIS Web Client (QWC2) versions prior to 2025.08.14. This vulnerability allows authorized attackers to inject arbitrary JavaScript into the attribute table, which is then executed in the browsers of other users. The issue arises because user inputs in the name or description fields are rendered without proper encoding, enabling HTML and JavaScript injection.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected JavaScript is executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log in with a user account that has editing permissions for the attribute layer. Access the editing tools and draw a line. Then, open the attribute table and edit the name or description field by inserting an image tag with an 'onerror' event. The injected JavaScript will execute, confirming the presence of the vulnerability.

Remediation

Users are advised to update to QGIS QWC2 version 2025.08.14 or later, where this vulnerability has been fixed by sanitizing untrusted input with DOMPurify.