The online note-taking app Evernote has patched a serious vulnerability in its Windows version. Evernote for Windows allegedly exhibited an XSS vulnerability that could allow an attacker to utilise a stored XSS payload. This could allow an attacker run malicious programs remotely on a target device simply by sharing a note and compelling the user to view it.
Evernote For Windows Endured XSS Vulnerability
A Chinese researcher TongQing Zhu, from the cybersecurity firm Knownsec, discovered a cross-site scripting vulnerability in Evernote for Windows. As stated in his blog post, the vulnerability allowed an attacker to inject malicious codes resulting in XSS attacks.
Reportedly, Zhu discovered the vulnerability (CVE-2018-18524) after another researcher, with the alias Sebao, found a stored XSS in Evernote. Though Evernote fixed the vulnerability at that time, Zhu stepped up to find further serious flaws if present.
Zhu, hence, discovered the flaw that let him load Nodejs code from a remote server. As stated in his blog,
“After failing many times, I decided to browse all files under path C:\\Program Files(x86)\Evernote\Evernote\.I find Evernote has a NodeWebKit in C:\\Program Files(x86)\Evernote\Evernote\NodeWebKit and Present mode will use it.
we can execute Nodejs code by stored XSS under Present mode.”
He then renamed a file by adding the link to his malicious JS code in the file name. He demonstrated this exploit in a video.
This way, he could then share the modified note with anyone via Evernote chat, spreading the malicious script. To test this, he created another account and shared the note with it.
Patched Update Available
The researcher allegedly discovered the vulnerability on September 27, 2018. He swiftly informed Evernote of it, after which they began working on a patch. Then, on November 5, 2018, Evernote released patched version 6.16 beta 1 for Windows users. As stated on their website,
“Fixed a stored cross-site scripting (XSS) issue in rendering attachment filenames.”
The users should make sure they are running the patched version of Evernote for Windows on their respective devices to stay protected from the vulnerability.