VYPR
← All advisories
Low severity3.5OSV Advisory· Published Apr 1, 2024· Updated Apr 15, 2026

CVE-2022-4966

CVE-2022-4966

Description

A vulnerability was found in sequentech admin-console up to 6.1.7 and classified as problematic. Affected by this issue is some unknown functionality of the component Election Description Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 7.0.0-beta.1 is able to address this issue. The patch is identified as 0043a6b1e6e0f5abc9557e73f9ffc524fc5d609d. It is recommended to upgrade the affected component. VDB-258782 is the identifier assigned to this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in Sequentech admin-console's Election Description Handler allows remote attackers to inject arbitrary web script via crafted election descriptions, fixed in version 7.0.0-beta.1.

Vulnerability

CVE-2022-4966 is a cross-site scripting (XSS) vulnerability in the Election Description Handler of Sequentech admin-console versions prior to 7.0.0-beta.1. The application used AngularJS's ng-bind-html directive to render election descriptions without proper sanitization, allowing malicious HTML or JavaScript to be executed when the description is viewed [1][2]. The root cause is that the $sanitize service was not consistently applied, and the backend did not sanitize input before displaying it [1].

Exploitation

An attacker with privileges to create or edit an election (typically an admin user) can inject a malicious payload into the election description field. This payload is stored and later rendered to other users, including administrators viewing the election list or creation screen [1][2]. The attack is launched remotely, requiring no direct network access beyond the application's interface [description].

Impact

Successful exploitation allows arbitrary JavaScript execution in the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. The CVSS score of 3.5 (Low) reflects the requirement of administrative privileges and the limited scope of the application's use.

Mitigation

The vulnerability is patched in version 7.0.0-beta.1 [4]. The fix replaces ng-bind-html with ng-bind (which escapes HTML) and applies $sanitize more broadly to server responses [1][2]. The specific commit is 0043a6b1e6e0f5abc9557e73f9ffc524fc5d609d [2]. Users should upgrade to the latest release.

References
  1. Fix some XSS by edulix · Pull Request #292 · sequentech/admin-console
  2. Fix some XSS (#292) (#293) · sequentech/admin-console@0043a6b
  3. Release 7.0.0-beta.1 release · sequentech/admin-console

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Sequentech/Admin ConsoleOSV2 versions
    17.04, 3.2.0, 3.3.0, …+ 1 more
    • (no CPE)range: 17.04, 3.2.0, 3.3.0, …
    • (no CPE)range: <=6.1.7

Patches

2
31cde83d3cc2
https://github.com/sequentech/admin-consolevia osv
commit
0043a6b1e6e0
https://github.com/sequentech/admin-consolevia osv
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.