A local file path traversal issue exists in Evernote 7.9 for macOS which allows an attacker to execute arbitrary programs.

Technical observation:

A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like

(../../../../something.app).

Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks.

Patch:

A patch for this issue was released in Evernote 7.10 Beta 1 and 7.9.1 GA for macOS [MACOSNOTE-28840]. CVE-2019-10038 was assigned to this issue.

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj_)

Original post at:

https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html

Pierluigi Paganini

(Security Affairs – Evernote, hacking)

Share this...

Linkedin Reddit Pinterest

Share On