Allele Security Alert
ASA-2019-00308, MACOSNOTE-28840, CVE-2019-10038
Path traversal vulnerability leads to code execution
Evernote for Mac
Evernote for Mac 7.9
Evernote for Mac 7.10 Beta 1
Evernote for Mac 7.9.1 GA
Proof of concept
A local file path traversal issue exists in Evernote 7.9 for macOS which allows an attacker to execute arbitrary programs.
A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like (../../../../something.app).
Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks.
Code execution – Evernote
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 2, 2019