In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.
The link abbreviation mechanism in Org Mode supports expansions in the %(...) format, which can contain Emacs Lisp function calls. The org-link-expand-abbrev function in lisp/ol.el did not verify whether the called function was safe, allowing embedding functions such as shell-command-to-string in the abbreviation. When a user opens an Org Mode document containing a crafted link, it automatically executes the embedded system command with the Emacs process privileges.
An attacker can execute arbitrary system commands on the victim's machine, resulting in complete takeover of their session, data theft, and potential privilege escalation.
Update GNU Emacs to version 29.4 or later and Org Mode to version 9.7.5 or later. Debian distribution users should apply updates published in debian-lts-announce in June 2024.
GNU Emacs before version 29.4 and Org Mode before version 9.7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGnu Emacs
APPGnu< 29.4
Related vulnerabilities
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-c...
In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code co...
In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before ...
In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode b...
A flaw was found in the Emacs text editor. Processing a specially crafted org-mode code with the "org-babel-ex...