This issue was reported to Evernote by @ajdumanhug and fixed in November 2019. This disclosure is a copy of the original, and is for historical purposes only.
The Open with Terminal functional is vulnerable to One Click Code Execution. Tested the vulnerability using the Mac Desktop App version Mac 7.13 and below.
It happens because they donβt add com.apple.quarantine meta-attribute for downloaded files to avoid the execution of terminal files.
I already reported this to Evernote, and I just wanted to report it here to ask for disclosure.
https://www.youtube.com/watch?v=OG2tKlZX5bg&feature=youtu.be
https://discussion.evernote.com/topic/121459-evernote-for-mac-713/
https://evernote.com/security/updates#MACOSNOTE-28956
https://www.cvedetails.com/cve/CVE-2019-17051/