Ltsp: Security Vulnerabilities
LTSP LDM through 2.18.06 allows fat-client root access because the LDM_USERNAME variable may have an empty value if the user's shell lacks support for Bourne shell syntax. This is related to a run-x-session script.
CVSS Score
7.8
EPSS Score
0.002
Published
2020-01-09
ldm in Linux Terminal Server Project (LTSP) 0.99 and 2 passes the -ac option to the X server on each LTSP client, which allows remote attackers to connect to this server via TCP port 6006 (aka display :6).
CVSS Score
4.8
EPSS Score
0.007
Published
2008-04-29