file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.
https://bugs.tryton.org/issue5808
http://www.tryton.org/posts/security-release-for-issue5795-and-issue5808.html