📄 Description (English)
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameters 'Id_usuario' and 'Id_evaluacion’ in ‘/evaluacion_hca_ver_auto.asp', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
🤖 AI Executive Summary
A high-severity out-of-band SQL injection vulnerability (CVE-2026-1479, CVSS 7.5) exists in the Performance Evaluation (EDD) application affecting the 'Id_usuario' and 'Id_evaluacion' parameters. Attackers can extract sensitive database information through external channels without direct application feedback, posing significant confidentiality risks. Although no public exploit is available, the vulnerability is exploitable and patches are available, requiring immediate deployment across affected Saudi organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 3, 2026 12:21
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi government entities and public sector organizations using the EDD application for performance evaluation systems. High-risk sectors include: (1) Government agencies under NCA oversight conducting employee evaluations; (2) Healthcare institutions (MOH, MNGHA) managing staff performance data; (3) Educational institutions (MOE) tracking faculty evaluations; (4) Large enterprises with HR departments using this system. The OOB SQLi technique allows attackers to exfiltrate sensitive personal data, performance records, and potentially credentials through DNS/HTTP callbacks, bypassing traditional WAF detection. Data breach impact includes exposure of employee personal information, evaluation scores, and organizational structure details.
🏢 Affected Saudi Sectors
Government
Healthcare
Education
Public Administration
Large Enterprises with HR Systems
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of the EDD application (Quatuor Evaluacion de Desempeno) across your organization using network scanning and asset inventory tools
2. Isolate affected systems from external network access if patches cannot be applied immediately
3. Enable enhanced logging on affected ASP pages (/evaluacion_hca_ver_auto.asp) to detect exploitation attempts
4. Review database access logs for the past 30 days for suspicious queries or data exfiltration patterns
PATCHING GUIDANCE:
1. Contact Gabinete Técnico de Programación/Quatuor for available patches immediately
2. Apply patches to all instances in a staged approach: test environment first, then production
3. Verify patch effectiveness by testing with SQL injection payloads in controlled environment
4. Document patch deployment with timestamps and verification results
COMPENSATING CONTROLS (if patching delayed):
1. Implement Web Application Firewall (WAF) rules blocking SQL injection patterns in 'Id_usuario' and 'Id_evaluacion' parameters
2. Apply input validation: whitelist only numeric values for both parameters, reject any special characters
3. Implement parameterized queries/prepared statements at application code level
4. Restrict database user permissions to read-only for evaluation data where possible
5. Monitor outbound DNS and HTTP traffic for data exfiltration attempts
DETECTION RULES:
1. Monitor for SQL keywords (UNION, SELECT, EXEC, DECLARE) in 'Id_usuario' and 'Id_evaluacion' parameters
2. Alert on unusual database queries from the EDD application service account
3. Monitor for DNS queries to external domains from the EDD application server
4. Track HTTP POST requests to /evaluacion_hca_ver_auto.asp with parameter lengths >100 characters
5. Implement SIEM rules for time-based blind SQLi indicators (unusual response delays)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ تطبيق EDD (Quatuor Evaluacion de Desempeno) عبر مؤسستك باستخدام أدوات المسح والجرد
2. عزل الأنظمة المتأثرة عن الوصول الخارجي إذا لم يكن من الممكن تطبيق التصحيحات فوراً
3. تفعيل السجلات المحسّنة على صفحات ASP المتأثرة لكشف محاولات الاستغلال
4. مراجعة سجلات الوصول لقاعدة البيانات للـ 30 يوماً الماضية للبحث عن الاستعلامات المريبة
إرشادات التصحيح:
1. التواصل مع Gabinete Técnico de Programación/Quatuor للحصول على التصحيحات المتاحة فوراً
2. تطبيق التصحيحات على جميع النسخ بطريقة مرحلية: بيئة الاختبار أولاً، ثم الإنتاج
3. التحقق من فعالية التصحيح باختبار حقن SQL في بيئة محكومة
4. توثيق نشر التصحيح مع الطوابع الزمنية ونتائج التحقق
الضوابط البديلة (إذا تأخر التصحيح):
1. تطبيق قواعد جدار حماية تطبيقات الويب لحجب أنماط حقن SQL
2. تطبيق التحقق من المدخلات: قبول القيم الرقمية فقط، رفض الأحرف الخاصة
3. تطبيق الاستعلامات المعاملة على مستوى كود التطبيق
4. تقييد صلاحيات مستخدم قاعدة البيانات للقراءة فقط حيث أمكن
5. مراقبة حركة DNS والـ HTTP الخارجية للكشف عن محاولات التسرب
قواعد الكشف:
1. مراقبة كلمات SQL الرئيسية في المعاملات
2. تنبيهات على استعلامات قاعدة البيانات غير العادية
3. مراقبة استعلامات DNS الخارجية من خادم التطبيق
4. تتبع طلبات HTTP مع أطوال معاملات غير عادية
5. تطبيق قواعد SIEM لكشف مؤشرات حقن SQL العمياء
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.14.2.1 - Secure development policy and procedures
A.14.2.5 - Secure development environment
A.14.3.1 - Testing of security functionality
A.14.3.2 - System change control
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.DS-6 - Data protection and confidentiality controls
DE.CM-1 - Detection and monitoring of security events
RS.RP-1 - Response planning and procedures
🟡 ISO 27001:2022
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
A.14.3.1 - Testing of security functionality
A.13.1.3 - Segregation of networks
A.8.3.4 - Password management
🟣 PCI DSS v4.0.1
6.2 - Security patches and updates
6.5.1 - Injection flaws prevention
11.2 - Vulnerability scanning
📦 Affected Products / CPE 1 entries
quatuor:evaluacion_de_desempeno:-