CVE-2023-50643

Vulnerability

CVE-2023-50643 reports that Evernote for macOS v10.68.2 leaves the Electron fuses runAsNode and enableNodeCliInspectArguments enabled, which could allow an attacker to execute arbitrary code. The Electron project disputes the severity, stating the configuration does not enable remote code execution and that an attacker must already have command execution ability on the system [1][3].

Exploitation

Exploitation requires the attacker to already have arbitrary command execution on the target machine (e.g., physical access or prior RCE). A proof-of-concept tool (electroniz3r) can validate the vulnerable fuse state and inject code to obtain a shell [3]. No user interaction is needed beyond the initial compromise.

Impact

Successful exploitation allows arbitrary code execution within the Evernote app context, potentially leading to full system compromise. However, the attacker must already have significant access to the system, limiting the practical impact [1][3].

Mitigation

Evernote has not officially announced a fix; the issue is disputed. Users should update to the latest version of Evernote (if available) and ensure Electron fuses are disabled. The Electron project recommends disabling these fuses for security. No workarounds are provided if a patch is not installed [1].