Ltsp · Ltsp Ldm · CVE-2019-20373
**Name of the Vulnerable Software and Affected Versions**
LTSP LDM versions prior to 2.18.07
**Description**
The issue is related to the `run-x-session` script and allows for fat-client root access due to the potential empty value of the `LDM USERNAME` variable if the user's shell lacks support for Bourne shell syntax. This is a result of insecure privilege management, which can be exploited to elevate privileges to the level of a superuser.
**Recommendations**
For LTSP LDM versions prior to 2.18.07, update to version 2.18.07 or later to resolve the issue. As a temporary workaround, consider restricting access to the `run-x-session` script until a patch is available.