Home > Vulnerability Database > WS-2023-0423

Mend.io Vulnerability Database

WS-2023-0423

Date: August 19, 2025

@vendure/core's insecure currencyCode handling allows wrong payment amounts Currently, in many Vendure deployments it's possible to select any currencyCode (really any, doesn't need to be assigned to the channel) and pay through Mollie and Stripe in that particular currencyCode. The prices are not transformed. The result is the Order is in Payment Settled in the foreign currency. See SS, CZK is not in the channel. This is fixed in 2.1.3.

Language: TYPE_SCRIPT

Severity Score

5.3

Related Resources (5)

Url: https://github.com/vendure-ecommerce/vendure/commit/0ebf0fb892a644004a9cdc64fe9177e7dbc0cb36

Url: https://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-wm63-7627-ch33

Url: https://github.com/vendure-ecommerce/vendure/commit/5e506fd8ba9f7e20030c329e62af1140d906121f

Url: https://github.com/vendure-ecommerce/vendure

Url: https://www.mend.io/vulnerability-database/WS-2023-0423

Severity Score

5.3

Weakness Type (CWE)

Improper Input Validation

CWE-20

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2023-0423

Date: August 19, 2025

Language: TYPE_SCRIPT

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?