OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
Exploitability
AV:LAC:MAu:NImpact
C:CI:CA:C6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C