Description
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_evaluacion' in '/evaluacion_objetivos_evalua_definido.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach via data exfiltration
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an out‑of‑band SQL injection in the 'Id_evaluacion' parameter of the '/evaluacion_objetivos_evalua_definido.aspx' page. An attacker could issue commands that are transmitted through external channels to retrieve sensitive data from the underlying database, thereby undermining confidentiality. This flaw aligns with CWE‑89, highlighting improper handling of SQL statements.

Affected Systems

The affected product is the Quatuor Evaluación de Desempeño (EDD) application, which is vulnerable in versions released before November 12 2025. The latest build, released on that date, contains the fix and is no longer exploitable. The application is accessed via a web interface hosted by Gabinete Técnico de Programación.

Risk and Exploitability

The CVSS score of 9.3 denotes critical severity, but the EPSS score is under 1 %, indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely exploited yet. Based on the description, the attack vector is likely remote, web‑based, and requires unauthenticated or authenticated access to the affected URL with a crafted parameter. An attacker must be able to observe the outbound traffic or influence outgoing channels to retrieve the injected payload results.

Generated by OpenCVE AI on April 18, 2026 at 02:04 UTC.

Remediation

Vendor Solution

The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.

OpenCVE Recommended Actions

  • Upgrade the EDD application to version released on November 12 2025 or later to apply the vendor fix.
  • If an upgrade cannot be performed immediately, restrict or block access to '/evaluacion_objetivos_evalua_definido.aspx' and enforce strict input validation on the 'Id_evaluacion' parameter.
  • Implement monitoring of database query logs and outbound traffic for anomalous out‑of‑band activity, and configure alerts to detect suspicious SQL executions.

Generated by OpenCVE AI on April 18, 2026 at 02:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor
Quatuor evaluacion De Desempeno
Vendors & Products Quatuor
Quatuor evaluacion De Desempeno

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_evaluacion' in '/evaluacion_objetivos_evalua_definido.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Title Out-of-band SQL injection in Quatuor Performance Evaluation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Quatuor Evaluacion De Desempeno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-27T18:38:09.446Z

Reserved: 2026-01-27T09:25:58.754Z

Link: CVE-2026-1482

cve-icon Vulnrichment

Updated: 2026-01-27T18:27:09.249Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:11.817

Modified: 2026-02-10T20:19:32.393

Link: CVE-2026-1482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:15:05Z

Weaknesses