Evernote 7.9 code execution via path traversal Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2019-04-18 |
Type : local |
Platform : macos
This exploit / vulnerability Evernote 7.9 code execution via path traversal is for educational purposes only and if it is used you will do on your own risk!
Summary:
A local file path traversal issue exists in Evernote 7.9 for macOS which
allows an attacker to execute arbitrary programs.
Technical observation:
A crafted URI can be used in a note to perform this attack using file:///
has an argument or by traversing to any directory like
(../../../../something.app).
Since, Evernote also has a feature of sharing notes, in such case attacker
could leverage this vulnerability and send crafted notes (.enex) to the
victim to perform any further attack.
Patch:
The patch for this issue is released in Evernote 7.10 Beta 1 for macOS
[MACOSNOTE-28840]. Also, the issue is tracked by CVE-2019-10038.