The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.
Exploitability
AV:LAC:HAu:NImpact
C:PI:PA:N2.6/AV:L/AC:H/Au:N/C:P/I:P/A:N