Miggo Logo
Miggo Vulnerability Database
CVE-2025-11183

CVE-2025-11183: QGIS QWC2 Cross-Site Scripting vulnerability

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-11183
GHSA ID
GHSA-gxp8-m5rq-3m38
EPSS Score
0.1288%
CWE
CWE-79
Published
10/13/2025
Updated
10/13/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
qwc2npm< 2025.08.142025.08.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a classic Cross-Site Scripting (XSS) issue caused by rendering untrusted data directly into the DOM without proper sanitization. The patch for this vulnerability reveals that the problem was not isolated to a single component but was present across multiple React components in the QWC2 application.

The primary indicator of the vulnerability is the use of dangerouslySetInnerHTML in React, which is explicitly named to warn developers about the risk of XSS. The patch systematically adds DOMPurify.sanitize() to all instances where dangerouslySetInnerHTML is used with potentially user-controllable data. This includes data from layer information, search results, service information, theme descriptions, and map copyright information.

In addition to dangerouslySetInnerHTML, the TextInput component was also found to be vulnerable due to direct manipulation of the innerHTML property of a DOM element. This is another common XSS vector that was addressed in the patch.

The identified vulnerable functions are the render methods of the affected components, as well as specific methods in the TextInput component (setDefaultValue and onChange). These are the functions that would be in the call stack when the vulnerable code is executed and would be the most relevant indicators for a runtime profiler during exploitation.

Vulnerable functions

LayerInfoWindow.render
components/LayerInfoWindow.jsx
The `render` method in `LayerInfoWindow` used `dangerouslySetInnerHTML` to render content that could be controlled by an attacker. The vulnerability is patched by sanitizing the content with `DOMPurify.sanitize` before rendering.
SearchBox.render
components/SearchBox.jsx
The `render` method in `SearchBox` used `dangerouslySetInnerHTML` multiple times to render search results. An attacker could craft a malicious search result that would execute arbitrary JavaScript. The patch sanitizes the `result.text` and `result.layer.abstract` before rendering.
ServiceInfoWindow.render
components/ServiceInfoWindow.jsx
Similar to `LayerInfoWindow`, the `render` method in `ServiceInfoWindow` was vulnerable to XSS via the `content` prop, which was rendered without sanitization using `dangerouslySetInnerHTML`. The patch adds sanitization using `DOMPurify`.
ThemeList.render
components/ThemeList.jsx
The `render` method in `ThemeList` rendered the `item.description` using `dangerouslySetInnerHTML` without sanitization, allowing for XSS if the description contained malicious HTML. The patch sanitizes the description before rendering.
TextInput.setDefaultValue
components/widgets/TextInput.jsx
The `setDefaultValue` method in `TextInput` directly set `this.input.innerHTML` with a value that could be controlled by an attacker. This is a classic XSS vector. The patch sanitizes the value before setting the `innerHTML`.
TextInput.onChange
components/widgets/TextInput.jsx
The `onChange` handler in `TextInput` reads from `ev.target.innerText` and processes it. While `innerText` is generally safer than `innerHTML`, the subsequent processing and usage could still lead to vulnerabilities. The patch proactively sanitizes the value.
MapCopyright.render
plugins/MapCopyright.jsx
The `render` method in `MapCopyright` used `dangerouslySetInnerHTML` to render a `key` which could contain malicious HTML. The patch sanitizes the `key` before rendering.

WAF Protection Rules

WAF Rule

*ross-Sit* S*riptin* vuln*r**ility in *ttri*ut* t**l* in Q*IS QW** < ****.**.** *llows *n *ut*oriz** *tt**k*r to pl*nt *r*itr*ry J*v*S*ript *o** in t** p***.

Reasoning

T** vuln*r**ility is * *l*ssi* *ross-Sit* S*riptin* (XSS) issu* **us** *y r*n**rin* untrust** **t* *ir**tly into t** *OM wit*out prop*r s*nitiz*tion. T** p*t** *or t*is vuln*r**ility r*v**ls t**t t** pro*l*m w*s not isol*t** to * sin*l* *ompon*nt *ut