Description
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion’ in ‘/evaluacion_hca_evalua.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote data exfiltration via out‑of‑band SQL injection
Action: Patch immediately
AI Analysis

Impact

The vulnerability is an out‑of‑band SQL injection (OOB SQLi) that occurs when an attacker supplies specially crafted input in the parameters ‘Id_usuario’ or ‘Id_evaluacion’ on the /evaluacion_hca_evalua.aspx page of the Quatuor performance evaluation application. Because the application does not filter or encode the data, the attacker can force the database to send query results to an external location controlled by the attacker, thereby exfiltrating sensitive information without the application returning it directly to the user. The weakness is a classic SQL injection flaw (CWE‑89) that compromises the confidentiality of stored data.

Affected Systems

Quatuor: Evaluación de Desempeño (EDD) is the product affected. The CVE does not list specific full‑patch versions, but the vendor has released an updated version on November 12, 2025 that resolves the issue. The vulnerability applies to the base application prior to that release.

Risk and Exploitability

The CVSS score of 9.3 indicates high severity. The EPSS score of less than 1% suggests that exploitation attempts are very rare at present, and the vulnerability is not noted in the CISA KEV catalog. Based on the description, the likely attack vector is remote via the public web interface, with an attacker needing only to craft a request to the identified endpoint. The attack requires the application to be reachable and the input parameters not to be otherwise protected by authentication or validation. Once triggered, the attacker can acquire database contents through the OOB channel.

Generated by OpenCVE AI on April 16, 2026 at 07:16 UTC.

Remediation

Vendor Solution

The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.

OpenCVE Recommended Actions

  • Upgrade the application to the latest release made available on November 12, 2025, which contains the fix for this OOB SQL injection.
  • Implement explicit input validation for the ‘Id_usuario’ and ‘Id_evaluacion’ parameters, allowing only numeric values and rejecting any non‑numeric payloads.
  • Deploy a web application firewall or similar security layer to detect and block anomalous SQL queries that attempt to exfiltrate data to external hosts.

Generated by OpenCVE AI on April 16, 2026 at 07:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor evaluaci N De Desempe O Edd
CPEs cpe:2.3:a:quatuor:evaluaci_n_de_desempe_o_edd_:*:*:*:*:*:*:*:*
Vendors & Products Quatuor evaluaci N De Desempe O Edd

Tue, 10 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor
Quatuor evaluacion De Desempeno
Vendors & Products Quatuor
Quatuor evaluacion De Desempeno

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion’ in ‘/evaluacion_hca_evalua.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Title Out-of-band SQL injection in Quatuor Performance Evaluation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Quatuor Evaluaci N De Desempe O Edd Evaluacion De Desempeno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-24T15:40:06.500Z

Reserved: 2026-01-27T09:25:55.224Z

Link: CVE-2026-1478

cve-icon Vulnrichment

Updated: 2026-01-27T19:08:52.462Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:11.277

Modified: 2026-02-10T20:21:25.150

Link: CVE-2026-1478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:30:28Z

Weaknesses