CVE-2018-18524

{"id": "CVE-2018-18524", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2019-05-13T14:29:00.817", "references": [{"url": "https://evernote.com/intl/en/security/updates", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://paper.seebug.org/737/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Evernote 6.15 on Windows has an incorrectly repaired stored XSS vulnerability. An attacker can use this XSS issue to inject Node.js code under Present mode. After a victim opens an affected note under Present mode, the attacker can read the victim's files and achieve remote execution command on the victim's computer."}, {"lang": "es", "value": "Evernote versi\u00f3n 6.15 en Windows, tiene una vulnerabilidad guardada de tipo XSS reparada incorrectamente. Un atacante puede usar este problema XSS para inyectar el c\u00f3digo Node.js en modo Presentaci\u00f3n. Despu\u00e9s de que una v\u00edctima abra una nota afectada bajo el modo Presentaci\u00f3n (Present), el atacante puede leer los archivos y lograr un comando de ejecuci\u00f3n remota en en el ordenador de la v\u00edctima."}], "lastModified": "2019-05-13T16:44:49.727", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:evernote:evernote:6.15:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "B9993C85-BF77-469F-8363-CF38FE94318C"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}