Description
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameters 'Id_usuario' and 'Id_evaluacion’ in ‘/evaluacion_hca_ver_auto.asp', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-band SQL injection exposing sensitive data
Action: Immediate Patch
AI Analysis

Impact

An out-of-band SQL injection flaw exists in the Quatuor Evaluación de Desempeño application that allows a malicious actor to deliver payloads via the Id_usuario and Id_evaluacion parameters sent to /evaluacion_hca_ver_auto.asp. The injection is executed externally, enabling the attacker to retrieve sensitive database contents without the application returning the data directly. This vulnerability falls under CWE‑89 and can compromise the confidentiality of stored data.

Affected Systems

The issue impacts the Quatuor Evaluación de Desempeño (EDD) product provided by Gabinete Técnico de Programación. All versions of the application prior to the release dated November 12 2025 are susceptible. No other product variants were identified.

Risk and Exploitability

Security scoring lists a CVSS base score of 9.3 and an EPSS of less than 1 %, indicating a high severity but a low probability of being actively exploited today. The vulnerability is not included in the CISA KEV catalog. Exploitation would typically be performed by a remote attacker sending crafted requests to the vulnerable endpoint, possibly leveraging web traffic to trigger external database callbacks. Given the high impact, organizations should treat this as a critical risk even though the exploitation likelihood is currently low.

Generated by OpenCVE AI on April 18, 2026 at 02:05 UTC.

Remediation

Vendor Solution

The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.

OpenCVE Recommended Actions

  • Install the latest Quatuor Evaluación de Desempeño release (November 12 2025).
  • Configure the web server or application firewall to block or filter SQL injection patterns on the /evaluacion_hca_ver_auto.asp endpoint.
  • If upgrading is not immediately possible, limit access to the endpoint to trusted users and monitor logs for suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor
Quatuor evaluacion De Desempeno
Vendors & Products Quatuor
Quatuor evaluacion De Desempeno

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameters 'Id_usuario' and 'Id_evaluacion’ in ‘/evaluacion_hca_ver_auto.asp', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Title Out-of-band SQL injection in Quatuor Performance Evaluation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Quatuor Evaluacion De Desempeno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-27T18:57:32.737Z

Reserved: 2026-01-27T09:25:56.039Z

Link: CVE-2026-1479

cve-icon Vulnrichment

Updated: 2026-01-27T18:57:28.246Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:11.413

Modified: 2026-02-10T20:19:49.470

Link: CVE-2026-1479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:15:05Z

Weaknesses