Main Vulnerability Database SB2018110807

SB2018110807 - Code injection in Evernote

Published: November 8, 2018 Updated: November 8, 2018

Security Bulletin ID SB2018110807

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Code injection (CVE-ID: CVE-2018-18524)

The disclosed vulnerability allows a remote attacker to inject arbitrary code.

The vulnerability exists due to insufficient validation of user-supplied input A remote attacker can trick the victim into opening an Evernote note in presentation mode, add a picture to a note, rename it and inject JavaScript code instead of a name.

Successful exploitation of this vulnerability may allow a remote attacker to steal arbitrary local files and execute commands.

Remediation

Install update from vendor's website.

References

https://paper.seebug.org/737/