Hello,
When uploading a logo or favicon the filename can be controlled by attacker since the key
can be modified which serves as the filename.
{F2044799}
{F2044800}
{F2044798}
Due to an error the path is also disclosed
{F2044802}
[add details for how we can reproduce the issue]
http://localhost/settings/admin/theming
The attacker can upload any files directly in the webapp and path disclosure. Combining both information can be useful in later attacks.