A vulnerability in tryton has been found, that might allow a malicious server to send a crafted extention as answer to a report request leading the client to write the report on any file of the client host with the right of the user running the client (see issue3446).
Any file can be created on the client host with the access permissions of the user running the client.
Users should connect only to trusted servers.
All users should upgrade to the latest version of the used series.
Any security concerns should be reported on the bug-tracker at http://bugs.tryton.org/ with the type security.