LXDM incorrectly handles sessions with arguments.
For example given this session startup command:
lxdm.c file, function:
void switch_user(struct passwd *pw, char *run, char **env)
spawns the Xsession script, with the full session startup command as $1 argument.
If this line gets selected:
exec -l $SHELL -c "$CK_XINIT_SESSION \"$LXSESSION\""
The session command is incorrectly quoted in $LXSESSION making the session startup command to be interpreted as a command without any argument.
This could lead to security issues if another executable with that name is available in the system.
In that same file it would be probably wise to quote $SHELL.