ASA-2019-00308 – Evernote: Path traversal vulnerability leads to code execution

A local file path traversal issue exists in Evernote 7.9 for macOS which allows an attacker to execute arbitrary programs. A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like (../../../../something.app). Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks.