When @theart42 and myself @4nqr34z, once again were looking into new software for a CTF box, we came across an injection in Jamovi that could lead to remote code execution.
When a user opens the document, the code is executed on the local machine.
Jamovi <=1.6.18 is affected by a cross-site scripting (XSS) vulnerability. The column-name is vulnerable to XSS in the ElectronJS Framework. An attacker can make a .omv (Jamovi) document containing a payload. When opened by victim, the payload is triggered.
Code is executed under the privilege of the user.
POC video: https://youtu.be/x94W2kzoBbc
The developer has been notified and has an update version available.