Description
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Compromise
Action: Apply Patch
AI Analysis

Impact

An out-of-band SQL injection (OOB SQLi) flaw exists in the Quatuor Evaluación de Desempeño application. The vulnerability lies in the Id_usuario parameter of the /evaluacion_objetivos_ver_auto.aspx page. Attackers can craft malicious SQL that triggers external data transmission, allowing them to exfiltrate sensitive database content without the application returning the data directly. Consequently, the confidentiality of stored information is compromised. The weakness is classified as CWE‑89.

Affected Systems

The affected product is Quatuor: Evaluación de Desempeño (EDD), developed by Gabinete Técnico de Programación. No specific version numbers are listed in the CNA data; the vendor claims that the issue is resolved in the latest release.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, while the EPSS score of less than 1% reflects a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to send a malicious request to the Id_usuario parameter via the /evaluacion_objetivos_ver_auto.aspx endpoint, typically from an external network, to trigger the out‑of‑band data exfiltration. No authentication or special privileges are explicitly required, so any user who can access that endpoint could potentially exploit the flaw.

Generated by OpenCVE AI on April 18, 2026 at 02:04 UTC.

Remediation

Vendor Solution

The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.

OpenCVE Recommended Actions

  • Update Quatuor Evaluación de Desempeño to the latest version released on November 12, 2025, which contains the fix for this OOB SQLi vulnerability.
  • Implement strict input validation or parameterized queries for the Id_usuario parameter in /evaluacion_objetivos_ver_auto.aspx to eliminate injection vectors.
  • Restrict or monitor outbound network traffic from the application or database server to prevent unintended data exfiltration via out-of-band channels.

Generated by OpenCVE AI on April 18, 2026 at 02:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor
Quatuor evaluacion De Desempeno
Vendors & Products Quatuor
Quatuor evaluacion De Desempeno

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Title Out-of-band SQL injection in Quatuor Performance Evaluation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Quatuor Evaluacion De Desempeno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-27T18:24:19.161Z

Reserved: 2026-01-27T09:25:59.759Z

Link: CVE-2026-1483

cve-icon Vulnrichment

Updated: 2026-01-27T18:24:11.289Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:11.963

Modified: 2026-02-10T20:21:17.750

Link: CVE-2026-1483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:15:05Z

Weaknesses