A cross-site scripting (XXS) vulnerability has been discovered in version 6.15 of Evernote for Windows. This vulnerability can be leveraged to run programs remotely on a victim’s computer. Specifically, a malicious actor could embed a link that loads malicious script in the file name of an image inside of a note, and send it to a victim. If viewed in presentation mode, the NodeWebKit will automatically execute the code, allowing it to open system programs and files.
Evernote has patched this vulnerability in its 6.16.1 beta update. It is recommended that Evernote for Windows users apply this update asap.