A security expert that goes online with the moniker @sebao has discovered a stored cross-site scripting (XSS) vulnerability in the Evernote application for Windows that could be exploited by an attacker to steal files and execute arbitrary commands.
The expert noticed that when a user adds a picture to a note and then renames it, it could use a JavaScript code instead of a name. Sebao discovered that if the note was shared with another Evernote user, the code would get executed when the recipient clicked on the picture.
In September, Evernote addressed the stored XSS flaw with the release of the version 6.16., but the fix was incomplete.
The expert TongQing Zhu from Knownsec 404 Team discovered that it was still possible to execute arbitrary with a variant of the above trick.
TongQing Zhu discovered that the code used instead of the name could load a Node.js file from a remote server, the script is executed via NodeWebKit that is used by Evernote in presentation mode.
“I find Evernote has a NodeWebKit in C:\\Program Files(x86)\Evernote\Evernote\NodeWebKit and Present mode will use it. Another good news is we can execute Nodejs code by stored XSS under Present mode.” explained TongQing Zhu.
The attacker only needs to trick an Evernote into opening a note in presentation mode, in this way he will be able to steal arbitrary files and execute commands.
TongQing Zhu showed how a hacker could exploit the vulnerability to read a Windows file and execute the Calculator application on the targeted system.
The flaw was tracked as CVE-2018-18524 and was initially addressed with the release of Evernote for Windows 6.16.1 beta in October. The final patch was released earlier this month with the release of Evernote 6.16.4.
TongQing Zhu has published two PoC videos for the exploitation of the flaw:
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – XSS, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
Mozilla addressed two critical Firefox vulnerabilities that could be potentially exploited to access sensitive data…
Japan passed a law allowing preemptive offensive cyber actions, shifting from its pacifist stance to…
James Comey is under investigation for a seashell photo showing “8647,” seen by some as…
Pwn2Own Berlin 2025 wrapped up with $383,750 awarded on the final day, pushing the total…
Security Affairs Malware newsletter includes a collection of the best articles and research on malware…
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…
This website uses cookies.
