QGIS QWC2 Registration GUI Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability exists in QGIS QWC2 Registration GUI versions prior to 2025.09.30. This vulnerability allows authorized attackers to inject arbitrary JavaScript into the registration page. The issue arises because user input in the 'description' field of registrable groups is not properly sanitized, enabling the execution of injected scripts in the browsers of users viewing the registration page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the registration page.

Reproduction

To reproduce this vulnerability, log in as a user with permission to create registrable groups. Create a group and inject a script payload, such as a JavaScript alert, into the description field. After saving the group, navigate to the registration page where the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to QGIS QWC2 Registration GUI version 2025.09.30 or later, where this vulnerability has been fixed.