Evernote developers have fixed vulnerability CVE-2018-18524 in Windows application by first releasing version 6.16.1 beta and then Evernote 6.16.4. The bug was discovered by Knownsec and posed a danger to versions under 6.15.
The researchers said publicly that the vulnerability allowed the remote attacker to launch arbitrary programs on the victim’s machine and execute commands, all they needed to do was share a note with the user, forcing to view it. The bug was a so-called stored XSS, that is, a “stored” or “permanent” XSS vulnerability.
However, the developers have fixed this problem in September this year. Knownsec specialists noticed that the vulnerability was not completely eliminated, and the ability to embed arbitrary code in the name of the attached image was still preserved. In fact, the developers only banned the use of the symbols <,>, "in the names.
Continuing to study the problem, the researchers found that the image name can still be embedded in the code to download the .js file from a remote server, and use NodeWebKit, used by Evernote in the presentation mode. That is, the exploitation of the problem required that the user not only opened the malicious note, but did so in the presentation mode. The rest of the XSS vulnerability was still in place.