Description
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'txAny' in '/evaluacion_competencias_autoeval_list.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Data Exfiltration via Out‑of‑Band SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an out‑of‑band SQL injection (OOB SQLi) discovered in the Performance Evaluation (EDD) application. By manipulating the 'txAny' parameter on the '/evaluacion_competencias_autoeval_list.aspx' page, an attacker can extract sensitive database data via external channels. Because the database content is not returned directly by the application, the primary impact is confidentiality violation. The flaw is a classic SQL injection problem, classified as CWE‑89.

Affected Systems

The affected system is the Quatuor Evaluación de Desempeño (EDD) application. All releases published before the November 12, 2025 upgrade are vulnerable; the security team has confirmed that the issue is fixed in the latest release available from Quatuor.

Risk and Exploitability

The CVSS score of 9.3 indicates high severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalog. To exploit it, an attacker must send a crafted request to the '/evaluacion_competencias_autoeval_list.aspx' endpoint, supplying a malicious value in the 'txAny' parameter. The affected endpoint is publicly reachable, so the attack vector is remote over the network.

Generated by OpenCVE AI on April 18, 2026 at 18:46 UTC.

Remediation

Vendor Solution

The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.

OpenCVE Recommended Actions

  • Upgrade the Quatuor Evaluación de Desempeño application to the November 12, 2025 release or later, which removes the vulnerable code.
  • If an immediate upgrade is not possible, restrict the /evaluacion_competencias_autoeval_list.aspx endpoint to authenticated users only and strip any input from the txAny parameter, rejecting non‑numeric or non‑expected values.
  • Monitor web and database logs for anomalous queries or external outbound traffic that could indicate attempted OOB data exfiltration.

Generated by OpenCVE AI on April 18, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor
Quatuor evaluacion De Desempeno
Vendors & Products Quatuor
Quatuor evaluacion De Desempeno

Tue, 27 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'txAny' in '/evaluacion_competencias_autoeval_list.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Title Out-of-band SQL injection in Quatuor Performance Evaluation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Quatuor Evaluacion De Desempeno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-27T20:53:03.491Z

Reserved: 2026-01-27T09:25:46.303Z

Link: CVE-2026-1472

cve-icon Vulnrichment

Updated: 2026-01-27T19:50:15.836Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:10.400

Modified: 2026-02-10T20:21:09.143

Link: CVE-2026-1472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses