Description
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario’ in '/evaluacion_competencias_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration / Confidentiality Loss
Action: Patch
AI Analysis

Impact

The vulnerability is an out‑of‑band SQL injection that can be triggered through the 'Id_usuario' parameter of the '/evaluacion_competencias_evalua.aspx' page. An attacker can send specially crafted input that causes the underlying database query to forward results to an external channel. The data is never returned to the web application, but the attacker can retrieve sensitive database contents via the OOB channel, resulting in a confidentiality breach. This weakness is a classic instance of CWE‑89 SQL injection.

Affected Systems

The affected product is Quatuor's Performance Evaluation (EDD) application, developed by Gabinete Técnico de Programación. All versions released before the November 12, 2025 update are vulnerable. The fix was incorporated in the latest public release on that date.

Risk and Exploitability

The CVSS score of 9.3 reflects a high‑severity vulnerability that could allow attackers to exfiltrate data with little effort. The EPSS score of less than 1 % indicates that, at the time of this analysis, the probability of exploitation is low, and the vulnerability is not present in the CISA KEV list. Attackers would need to target the specific web endpoint, craft outbound queries, and monitor a controlled external endpoint to receive the data. The impact is limited to confidentiality; there is no documented privilege escalation or remote code execution.

Generated by OpenCVE AI on April 18, 2026 at 02:07 UTC.

Remediation

Vendor Solution

The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.

OpenCVE Recommended Actions

  • Deploy the November 12, 2025 update of the Quatuor Performance Evaluation application immediately.
  • Ensure all input fields, particularly 'Id_usuario', are strictly validated and parameterized to prevent SQL injection.
  • Perform penetration testing focused on outbound database queries to confirm the OOB injection path has been closed.

Generated by OpenCVE AI on April 18, 2026 at 02:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor
Quatuor evaluacion De Desempeno
Vendors & Products Quatuor
Quatuor evaluacion De Desempeno

Tue, 27 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario’ in '/evaluacion_competencias_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Title Out-of-band SQL injection in Quatuor Performance Evaluation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Quatuor Evaluacion De Desempeno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-27T20:52:49.184Z

Reserved: 2026-01-27T09:25:50.765Z

Link: CVE-2026-1473

cve-icon Vulnrichment

Updated: 2026-01-27T19:50:06.221Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:10.547

Modified: 2026-02-10T20:20:56.477

Link: CVE-2026-1473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:15:05Z

Weaknesses