Evernote for Windows patch resolves stored XSS vulnerability

The severe flaw permitted attackers to create a persistent XSS issue.

Evernote has patched a flaw in the Microsoft Windows version of the app which permitted stored XSS attacks to occur.

The vulnerability, CVE-2018-18524, has been resolved in Evernote for Windows 6.16.1 beta.

The main security flaw impacted Evernote for Windows 6.14 and was discovered by TongQing Zhu from the Knownsec 404 team.

As described in a blog post last week, the cross-site scripting (XSS) issue was uncovered as local files -- including win.ini and calc.exe -- were able to be read.

CNET: Hackers reportedly target election officials, voter data ahead of midterms

Evernote permitted the use of characters and phrases such as "onclick = "alert(1) " when renaming and opening image files, and it was this lack of validation which permitted the researcher to create a stored XSS.

XSS is a common attack vector for everything from browser sessions to mobile applications. While reflected XSS attacks will bounce a malicious script onto a browsing session, stored XSS attacks are the most dangerous of the two as it allows malicious scripts to be injected directly into a browser or other form of software.

TechRepublic: Evolving threats to Mac environments

Successful XSS attacks can lead to account compromise, browser hijacking, and the execution of malware payloads via exploit kits.

In Evernote's case, however, the researcher explored further and found that he was also able to load Nodejs code by stored XSS under Present mode in Evernote for Windows 6.15 -- and the malicious files could be shared with other accounts via work chats, leading to code execution.

See also: Bleedingbit zero-day chip flaws may expose majority of enterprises to remote code execution attacks

Knownsec 404 discovered the flaws on September 27, reporting its findings to Evernote on the same day. Evernote quickly confirmed the bugs and resolved them in October during the app's latest update, Evernote For Windows 6.16.1 beta.

ZDNet has reached out to Evernote and will update if we hear back.

Previous and related coverage