CVE-2018-19658

Vulnerability

The YXBJ (Evernote for Mac) application, prior to version 8.3.2, contains a stored cross-site scripting (XSS) vulnerability in its Markdown editor [1]. This vulnerability allows malicious content to be embedded within Markdown notes, which is then rendered when the note is viewed by the user. The issue was fixed in version 8.3.2 [1].

Exploitation

An attacker with the ability to create or modify notes (e.g., via shared notebooks or note import) can inject arbitrary JavaScript code into a Markdown-formatted note. No further user interaction beyond viewing the note is required; the payload executes automatically in the context of the victim's session when the note is rendered [1].

Impact

Successful exploitation leads to stored XSS, which could allow the attacker to execute arbitrary JavaScript in the context of the victim's session. This could result in information disclosure, session hijacking, or unauthorized actions performed on behalf of the victim [1].

Mitigation

Upgrade to YXBJ (Evernote for Mac) version 8.3.2, released on or before 2018, which fixes the stored XSS issue in the Markdown editor [1]. No workarounds are available; users must update to the patched version to eliminate the vulnerability.