The CVE-2016-1241 allows an authenticated user to read the hashed password of other users. The exploitation is not easy thanks to the existing protection of Tryton against such leak. Those protections are usage of strong hash method (bcrypt or sha1) and the salt of the password with random data (protection against rainbow tables).
The CVE-2016-1242 allows an authenticated user with write access to report or icon definition to make the server opens any readable file. By default, only the administrator group has such right access.
There is no workaround for CVE-2016-1241.
For CVE-2016-1242, the modification rights could be removed to all users for the report and icon records.
All users should upgrade trytond to the latest version.
It is recommended that every user changes his password.
Affected versions per series: <=3.2.16, <=3.4.13, <=3.6.11, <=3.8.7 and <=4.0.3
Non affected versions per series: >=3.2.17, >=3.4.14, >= 3.6.12, >=3.8.8 and >=4.0.4
Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.