Allele Security Alert
ASA-2019-00308
Identifier(s)
ASA-2019-00308, MACOSNOTE-28840, CVE-2019-10038
Title
Path traversal vulnerability leads to code execution
Vendor(s)
Evernote Corporation
Product(s)
Evernote for Mac
Affected version(s)
Evernote for Mac 7.9
Fixed version(s)
Evernote for Mac 7.10 Beta 1
Evernote for Mac 7.9.1 GA
Proof of concept
Unknown
Description
A local file path traversal issue exists in Evernote 7.9 for macOS which allows an attacker to execute arbitrary programs.
A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like (../../../../something.app).
Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks.
Technical details
Unknown
Credits
Unknown
Reference(s)
Security Updates
https://evernote.com/security/updates
Code execution – Evernote
https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html
CVE-2019-10038
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10038
CVE-2019-10038
https://nvd.nist.gov/vuln/detail/CVE-2019-10038
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 2, 2019