Ability to change settings with a registered (non-admin) user allows us to trigger an Arbitrary File Disclosure vulnerability with any path of our choosing. One limitation with this vulnerability is that the target user (in the PoC, ‘test’) needs to have an account on the Cart66 installation.