Online note sharing company Evernote has patched a hole that allowed attackers to infect notes shared via its service. The vulnerability (CVE-2018-18524) could have allowed an attacker to run programs remotely on a victim’s computer simply by sharing a note with them and persuading them to view it. Evernote has patched the vulnerability in Evernote for Windows 6.16.1 beta.
The vulnerability, discovered by TongQing Zhu, a researcher at Chinese cybersecurity company Knownsec, was a form of cross-site scripting (XSS) attack. XSS attacks allow attackers to inject malicious code into websites.
Read more about the critical Evernote flaw for Windows on Naked Security.