A local file path traversal vulnerability which allows attackers to run arbitrary code on their targets' Macs remotely was fixed by Evernote after receiving a report from
security researcher Dhiraj Mishra.
The security issue tracked as
CVE-2019-10038 was found by Mishra in Evernote 7.9 for macOS and it is now patched in the 7.10 Beta 1 version. As detailed in a forum post on the company's forum, the fix is now also available in the
stable 7.9.1 version which just got released.
As the researcher
explained, the software flaw can be exploited to run arbitrary code remotely "Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks."