Description
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion' en ‘/evaluacion_inicio.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality compromise via out-of-band SQL injection
Action: Update Application
AI Analysis

Impact

An out-of-band SQL injection flaw in the ‘Id_usuario’ and ‘Id_evaluacion’ parameters of /evaluacion_inicio.aspx allows attackers to extract sensitive data from the database through an external channel, thereby compromising confidentiality. The flaw is a classic CWE-89 condition where untrusted input is passed to a database query without proper sanitization, and the use of out-of-band communication prevents the data from being returned directly to the user.

Affected Systems

The vulnerability affects the Quatuor Evaluación de Desempeño (EDD) application produced by Gabinete Técnico de Programación. No specific release identifiers are listed, but the issue is fixed in the version released on November 12 2025. Therefore any earlier or unpatched instances are potentially vulnerable.

Risk and Exploitability

The CVSS base score of 9.3 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the flaw is not currently part of the CISA KEV catalog. Nonetheless, the attack vector is likely remote, via an HTTP request to the affected page, and requires the attacker to craft payloads that trigger an external query. The impact is a blind, out-of-band extraction of confidential data. The likelihood of exploitation is inferred to be low but not negligible as the vulnerability remains publicly known.

Generated by OpenCVE AI on April 18, 2026 at 02:07 UTC.

Remediation

Vendor Solution

The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.

OpenCVE Recommended Actions

  • Deploy the latest release of Quatuor Evaluación de Desempeño (November 12 2025) to fix the out-of-band SQL injection flaw.
  • Test the application to confirm that malicious input in the Id_usuario and Id_evaluacion parameters no longer triggers external database activity.
  • Configure the database user credentials used by the application with least-privilege permissions, limiting access to only the tables and columns required for normal operation.
  • Implement a web-application firewall rule that inspects incoming requests to the vulnerable parameters and blocks suspicious SQL injection payloads until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 02:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor
Quatuor evaluacion De Desempeno
Vendors & Products Quatuor
Quatuor evaluacion De Desempeno

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion' en ‘/evaluacion_inicio.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Title Out-of-band SQL injection in Quatuor Performance Evaluation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Quatuor Evaluacion De Desempeno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-27T20:52:37.150Z

Reserved: 2026-01-27T09:25:51.858Z

Link: CVE-2026-1474

cve-icon Vulnrichment

Updated: 2026-01-27T19:49:55.912Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:10.697

Modified: 2026-02-10T20:20:43.383

Link: CVE-2026-1474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:15:05Z

Weaknesses