Kees Huijgen

Name of the Vulnerable Software and Affected Versions: KDM versions 3.3.0 through 3.5.7 Description: The issue allows remote attackers to bypass the password requirement and login to arbitrary accounts via unspecified vectors when autologin is configured and "shutdown with password" is enabled. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation can be carried out locally by an attacker who has passed the authentication procedure. Recommendations: For KDM versions 3.3.0 through 3.5.7, update to version 3.5.7-r2 or later to resolve the issue. As a temporary workaround, consider disabling the autologin feature and the "shutdown with password" option to minimize the risk of exploitation. Restrict access to the `backend/session.c` component in KDM to reduce the risk of unauthorized access.