Description
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion’ in ‘/evaluacion_competencias_evalua_old.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Out‑of‑band SQL injection allowing external extraction of confidential data
Action: Patch
AI Analysis

Impact

An out‑of‑band SQL injection vulnerability exists in the Performance Evaluation (EDD) application built by Gabinete Técnico de Programación. The flaw is triggered by the parameters 'Id_usuario' and 'Id_evaluacion' in the URL '/evaluacion_competencias_evalua_old.aspx'. An attacker can inject malicious SQL that is executed by the database and relayed through an external channel, providing the attacker with the contents of sensitive tables without the application returning the data directly. This attack compromises the confidentiality of stored information and can expose the full contents of the underlying database if the malicious payload succeeds.

Affected Systems

The affected system is Quatuor:Evaluación de Desempeño (EDD). No specific version information is provided in the data, so the impact applies to all installations until patched.

Risk and Exploitability

The vulnerability has a CVSS score of 9.3, indicating high severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation at the moment, and it is not listed in the CISA KEV catalog. Attackers would need network access that allows the OOB payload to reach an external channel, and the vulnerability enables sensitive data extraction without the application returning it directly. The only mitigation is a patch, released on November 12, 2025, which eliminates the vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 02:05 UTC.

Remediation

Vendor Solution

The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Quatuor Evaluación de Desempeño released on November 12, 2025, which contains the fix.
  • If an immediate update is unavailable, sanitize the 'Id_usuario' and 'Id_evaluacion' parameters to accept only numeric data, blocking potentially malicious SQL code.
  • If sanitization cannot be done, isolate the database to prevent outbound connections from the application server, disrupting exfiltration but potentially affecting legitimate functionality.

Generated by OpenCVE AI on April 18, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor
Quatuor evaluacion De Desempeno
Vendors & Products Quatuor
Quatuor evaluacion De Desempeno

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion’ in ‘/evaluacion_competencias_evalua_old.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Title Out-of-band SQL injection in Quatuor Performance Evaluation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Quatuor Evaluacion De Desempeno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-27T20:52:11.854Z

Reserved: 2026-01-27T09:25:54.379Z

Link: CVE-2026-1477

cve-icon Vulnrichment

Updated: 2026-01-27T19:49:26.477Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:11.137

Modified: 2026-02-10T20:16:26.177

Link: CVE-2026-1477

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:15:05Z

Weaknesses