CVE-2020-17759

Published: Jun 24, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An issue was found in the Evernote client for Windows 10, 7, and 2008 in the protocol handler. This enables attackers for arbitrary command execution if the user clicks on a specially crafted URL. AKA: WINNOTE-19941.

Affected (2)

Products: Evernote: Evernote

Evernote

1 product

Evernote

Configuration A

2 vulnerable · 3 platform

Vulnerable Software	Affected Versions
Evernote Evernote	Version 6.17.7
Evernote Evernote	Version 6.18 beta2

Running on/with	Platform Versions
Microsoft Windows 10	All versions
Microsoft Windows 7	All versions
Microsoft Windows Server 2008	All versions

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (2)

https://evernote.com/intl/zh-cn/security/updates/

Source: cve@mitre.org

Vendor Advisory

https://evernote.com/intl/zh-cn/security/updates/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.