Name of the Vulnerable Software and Affected Versions Vendure versions prior to 2.1.3

Description The issue allows selecting any currency code, not limited to those assigned to the channel, and completing payments through Mollie and Stripe in that currency. This results in orders being settled in a foreign currency without transforming prices. The root cause is the ability to specify an arbitrary currencyCode as a query parameter in an API call, which is then used by the system.

Recommendations For versions prior to 2.1.3, update to version 2.1.3 to resolve the issue. As a temporary workaround, consider defining a custom OrderProcess with an onTransitionStart function to verify the order's currencyCode before allowing the transition to the ArrangingPayment state.