CVE-2021-28079 Overview
CVE-2021-28079 is a Cross-Site Scripting (XSS) vulnerability affecting Jamovi statistical software versions 1.6.18 and earlier. The vulnerability exists within the column-name handling functionality of the ElectronJS Framework used by Jamovi. An attacker can craft a malicious .omv (Jamovi) document containing an XSS payload embedded in a column name. When a victim opens this malicious document, the payload is executed within the context of the ElectronJS application, potentially allowing the attacker to execute arbitrary JavaScript code.
Critical Impact
Attackers can execute malicious JavaScript code within the Jamovi application context by tricking users into opening crafted .omv files, potentially leading to data theft or further system compromise.
Affected Products
- Jamovi versions 1.6.18 and earlier
- ElectronJS-based Jamovi desktop application
Discovery Timeline
- 2021-04-26 - CVE CVE-2021-28079 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-28079
Vulnerability Analysis
This Cross-Site Scripting (XSS) vulnerability is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability stems from improper sanitization of user-supplied input within column names in Jamovi data files.
The ElectronJS framework, which powers the Jamovi desktop application, renders content using Chromium. When column names from .omv files are processed and displayed in the application interface, they are not properly sanitized for HTML/JavaScript content. This allows an attacker to embed malicious script content that executes when the document is rendered.
The attack requires user interaction, as the victim must open a malicious .omv file. However, since Jamovi is commonly used in academic and research settings for statistical analysis, social engineering attacks distributing malicious data files could be particularly effective.
Root Cause
The root cause of this vulnerability is insufficient input validation and output encoding of column names within the ElectronJS application. The application fails to properly sanitize or escape special characters and HTML entities when processing column name data from .omv files before rendering them in the user interface.
Attack Vector
The attack vector is network-based, requiring an attacker to deliver a malicious .omv file to a victim. This could be accomplished through:
- Email attachments containing malicious Jamovi data files
- Shared network drives or cloud storage containing crafted files
- Academic data sharing platforms where research datasets are exchanged
- Compromised websites hosting malicious Jamovi datasets
When the victim opens the malicious file in Jamovi, the XSS payload embedded in the column name is executed within the ElectronJS context, potentially allowing the attacker to steal sensitive data, manipulate application behavior, or perform actions on behalf of the user.
The vulnerability requires user interaction (opening a file), but given the file-sharing nature of statistical research work, this attack scenario is realistic. Additional technical details are available in the GitHub CVE-2021-28079 Details.
Detection Methods for CVE-2021-28079
Indicators of Compromise
- Presence of .omv files containing suspicious HTML or JavaScript code within column names
- Unusual network connections originating from the Jamovi application process
- Unexpected script execution or browser-like behavior from the Jamovi desktop application
- Log entries showing JavaScript errors related to injected payloads
Detection Strategies
- Implement file scanning solutions to inspect .omv files for embedded script content before opening
- Monitor for unusual process behavior from Jamovi application including unexpected network connections or child process spawning
- Deploy endpoint detection solutions capable of identifying XSS payload patterns in document files
- Enable application-level logging to capture anomalous rendering behavior
Monitoring Recommendations
- Monitor file system access for .omv files from untrusted sources
- Track Jamovi application behavior for signs of JavaScript execution outside normal parameters
- Implement network monitoring for unexpected outbound connections from statistical software
- Review application logs for error messages indicative of malformed column name data
How to Mitigate CVE-2021-28079
Immediate Actions Required
- Update Jamovi to the latest available version that addresses this vulnerability
- Exercise caution when opening .omv files from untrusted or unknown sources
- Validate the source and integrity of any Jamovi data files before opening
- Consider scanning .omv files with security tools before opening in production environments
Patch Information
Users should upgrade Jamovi to a version newer than 1.6.18 that includes proper input sanitization for column names. Check the Jamovi Official Website for the latest security updates and version releases.
Workarounds
- Only open .omv files from trusted and verified sources
- Consider converting data from untrusted sources to neutral formats (CSV) before importing into Jamovi
- Implement network segmentation to limit potential impact if exploitation occurs
- Use application sandboxing or virtualization when working with files from untrusted sources
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
