Code execution – Evernote

Original Post from Security Affairs
Author: Pierluigi Paganini

A local file path traversal issue exists in Evernote 7.9 for macOS which allows an attacker to execute arbitrary programs.

Technical observation:
A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like
(../../../../something.app).

Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks.

Evernote

Patch: 
A patch for this issue was released in Evernote 7.10 Beta 1 and 7.9.1 GA for macOS [MACOSNOTE-28840]. CVE-2019-10038 was assigned to this issue.

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj_)

Original post at:

https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html


Pierluigi Paganini

(Security Affairs – Evernote, hacking)

The post Code execution – Evernote appeared first on Security Affairs.


Go to Source
Author: Pierluigi Paganini

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress Appliance - Powered by TurnKey Linux