Two vulnerabilities with high severity scores were discovered in the Philips Tasy EMR that may result in the extraction of sensitive patient information from the database. An attacker can exploit the vulnerabilities remotely. There’s a low attack difficulty, and exploits for the vulnerabilities are accessible in the public domain.
According to Philips, the vulnerabilities impact Tasy EMR HTML5 3.06.1803 and earlier versions The impacted products are utilized mostly in Central and South America. The vulnerabilities were discovered and publicly shared by a security researcher who failed to observe sensible disclosure practices and did not communicate with Philips.
The two vulnerabilities, which are SQL injection vulnerabilities have an assigned CVSS v3 severity score of 8.8 out of 10. The two are caused by incorrect neutralization of particular elements in SQL commands.
- Vulnerability CVE-2021-39375 permits SQL injection through the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter.
- Vulnerability CVE-2021-39376 permits SQL injection through the CD_USUARIO_CONVENIO parameter or CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST.
By taking advantage of the vulnerabilities, it’s possible for a remote attacker to expose patient information, extract data from the database, or bring about a denial-of-service status.
Philips states that the report regarding the vulnerabilities has been submitted to CISA and that the two vulnerabilities identified in Tasy EMR HTML5 to Version 3.06.1804 had been fixed. All healthcare companies utilizing a vulnerable EMR system version need to upgrade to version 3.06.1804 or later immediately to avoid exploitation. Before updating to the most recent version, CISA advises doing an impact evaluation and risk analysis.