vendure is vulnerable to Arbitrary Price Manipulation. The vulnerability is due to the ability to specify an arbitrary currencyCode
as a query parameter to an API call, allowing users to select any currencyCode
and thus payments made through Mollie and Stripe in that particular currencyCode
are accepted without currency conversion. This can be exploited by the attacker by using arbitrary currencyCode
during the payment process and the currencyCode
would be accepted without currency conversion resulting in incorrect payment amounts.