This was reported to the OFBiz security team by Jason Nordenstam from offensive-security.com. We did not consider it as a real security issue because it requires authentication.
Authenticated users can use the Fetch Logs functionality to view arbitrary files on the host OS by modifying the "logFileName" parameter.
While the web application submits the affected URL as a POST request, it can be converted to a GET for ease of use.
see attachments ofbiz_path_traversal_1.png and ofbiz_path_traversal_2.png
That can indeed be easily reproduced at