XSS Vulnerability in Evernote Allows Local File Execution

Security researcher TongQing Zhu of Knownsec discovered a cross-site scripting (XSS) vulnerability in version 6.15 of Evernote for Windows that can be leveraged to run programs remotely on a victim’s computer. This version lacks proper data validation, allowing the insertion of <>, and  characters into the file name of an image embedded in a note. It also utilizes the Node.js framework through a NodeWebKit application runtime, allowing for JavaScript code execution when in presentation mode. As a result, a threat actor could embed a link that loads a malicious script in the file name of an image inside a note, and send the note to a victim. If the victim is persuaded to view the note in presentation mode, NodeWebKit will automatically execute the code, allowing it to open system programs and files. Evernote has patched the vulnerability in its 6.16.1 beta update. The NJCCIC highly recommends all Evernote for Windows users update to the latest version and review CVE-2018-18524.

AdvisoryNJCCICXSS, Evernote, Windows