Description
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in ‘/evaluacion_acciones_ver_auto.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breaching through out‑of‑band SQL injection
Action: Apply Patch
AI Analysis

Impact

An out‑of‑band SQL injection (OOB SQLi) flaw was found in the Quatuor Performance Evaluation (Evaluación de Desempeño) application, specifically in the 'Id_usuario' parameter of the /evaluacion_acciones_ver_auto.aspx endpoint. The vulnerability allows an attacker to inject arbitrary SQL that is executed silently on the database and the results are retrieved via external channels rather than displayed directly to the application user. This mechanism enables an attacker to exfiltrate sensitive data from the database, compromising the confidentiality of stored information.

Affected Systems

The flaw affects the Quatuor Performance Evaluation (evaluación de desempeño) application. Affected versions are unspecified, but the issue remains present until the latest successful release dated 12 November 2025. Users operating versions prior to that release are susceptible.

Risk and Exploitability

The CVSS score of 9.3 classifies this as critical severity. While the EPSS indicates a very low probability of exploitation (<1%), the lack of a public exploit and absence from the CISA KEV catalogue reduce the immediacy of threat. Exploitation requires sending a specially crafted value for 'Id_usuario' that triggers an external database response, so attackers need network access to the application and the ability to observe or capture outbound traffic from the database server.

Generated by OpenCVE AI on April 18, 2026 at 02:06 UTC.

Remediation

Vendor Solution

The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.

OpenCVE Recommended Actions

  • Upgrade the Quatuor Performance Evaluation application to the revision released on 12 November 2025, which removes the out‑of‑band SQL injection vulnerability.
  • After upgrading, verify that all database queries use parameterized statements for the 'Id_usuario' input to prevent any residual injection attempts.
  • Implement monitoring of database activity for unexpected outbound connections or unusual query patterns that may indicate attempted exploitation.

Generated by OpenCVE AI on April 18, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor
Quatuor evaluacion De Desempeno
Vendors & Products Quatuor
Quatuor evaluacion De Desempeno

Tue, 27 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in ‘/evaluacion_acciones_ver_auto.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Title Out-of-band SQL injection in Quatuor Performance Evaluation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Quatuor Evaluacion De Desempeno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-27T20:52:18.549Z

Reserved: 2026-01-27T09:25:53.534Z

Link: CVE-2026-1476

cve-icon Vulnrichment

Updated: 2026-01-27T19:49:36.374Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:10.980

Modified: 2026-02-10T20:20:00.040

Link: CVE-2026-1476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:15:05Z

Weaknesses