The Philips Tasy EMR is a comprehensive healthcare informatics solution that is used by thousands of hospitals and healthcare infrastructures, mainly in South America. The product is affected by two critical SQL injection vulnerabilities, tracked as CVE-2021-39375 and CVE-2021-39376 respectively.
Both issues affect Tasy EMR HTML5 3.06.1803 version and prior, the company addressed them with the release of version 3.06.1804. The vulnerabilities have received a CVSS v3 severity score of 8.8. The vulnerabilities have been rated as critical because they can be exploited by an attacker to access sensitive medical data, such as patient records and financial data.
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO and the WAdvancedFilter/getDimensionItemsByCode FilterValue parameters.
Both SQL injection vulnerabilities are caused by the improper escaping of special characters in SQL commands.
“Successful exploitation of these vulnerabilities could result in patient’s confidential data being exposed or extracted from Tasy’s database, give unauthorized access, or create a denial-of-service condition.” reads the advisory published by CISA.
“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents,”
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, supply chain attack)
[adrotate banner=”5″]
[adrotate banner=”13″]
A former U.S. NSA employee has been sentenced to nearly 22 years in prison for…
A new malware named Cuttlefish targets enterprise-grade and small office/home office (SOHO) routers to harvest…
A flaw in the R programming language enables the execution of arbitrary code when parsing…
The China-linked threat actors Muddling Meerkat are manipulating DNS to probe networks globally since 2019.…
Finnish hacker was sentenced to more than six years in prison for hacking into an…
The US government’s cybersecurity agency CISA published a series of guidelines to protect critical infrastructure…
This website uses cookies.