ASA-2019-00308 – Evernote: Path traversal vulnerability leads to code execution


Allele Security Alert

ASA-2019-00308

Identifier(s)

ASA-2019-00308, MACOSNOTE-28840, CVE-2019-10038

Title

Path traversal vulnerability leads to code execution

Vendor(s)

Evernote Corporation

Product(s)

Evernote for Mac

Affected version(s)

Evernote for Mac 7.9

Fixed version(s)

Evernote for Mac 7.10 Beta 1
Evernote for Mac 7.9.1 GA

Proof of concept

Unknown

Description

A local file path traversal issue exists in Evernote 7.9 for macOS which allows an attacker to execute arbitrary programs.

A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like (../../../../something.app).

Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks.

Technical details

Unknown

Credits

Unknown

Reference(s)

Security Updates
https://evernote.com/security/updates

Code execution – Evernote
https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html

CVE-2019-10038
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10038

CVE-2019-10038
https://nvd.nist.gov/vuln/detail/CVE-2019-10038

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 2, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.