This vulnerability occur because there is no filename validation on logo_image_login and logo_image_header on import and export function. Attacker can use path traversal payload to leak local file such as /etc/passwd or froxlor config file.
Proof of Concept
Go to import function on “Settings”
Modify filename on logo_image_login or logo_image_header with path traversal payload , e.g “…/…/…/…/…/etc/passwd?v=1672300384”
After successfully imported, go to “Settings” and go to Export page
Click Download/Export Settings, then leaked file will be on panel.logo_image_login.image_data key on json file in base64 encoded format