Cybersecurity specialists report the detection of two critical vulnerabilities in Philips Tasy EMR, a medical record and health services management tool. Tracked as CVE-2021-39375 and CVE-2021-39376, both flaws received scores of 8.8/10 according to the Common Vulnerability Scoring System (CVSS).

The flaws were described as SQL injection errors that exist due to the incorrect use of special characters in SQL commands. These errors reside in all Tasy EMR versions prior to 3.06.1803, so administrators of affected versions will need to upgrade to v3.06.1804 or earlier to mitigate the risk of exploitation.

Like any similar product, Tasy EMR stores a wealth of sensitive information, including personally identifiable data, medical records, diagnoses, medication details, bills, and other private records, so system compromise could prove disastrous for hospitals, staff, and patients alike.

Specialists believe that errors in the storage of this confidential information become more evident when they are public health institutions, since their resource limitations make them an ideal target for threat actors, especially considering that most of their work is still the fight against the pandemic.

In this regard, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert, as they consider the update of this product a priority due to its wide use. According to the Agency, this solution is used in hospitals throughout Latin America, mainly in Argentina, Brazil, Mexico, Colombia, the Dominican Republic and other countries. Philips data confirms such a claim, as the company mentions that Tasy EMR is used in more than 1,000 healthcare organizations worldwide.

As mentioned above, the main recommendation is to upgrade vulnerable Tasy EMR implementations to a secure version, for which Philips has published a companion guide on its official platforms. It is also recommended that health institutions try to minimize the exposure of this data to external users and other areas of their systems that do not require access to this information. The use of security tools such as VPN software and anti-malware products is also recommended.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Two critical SQL injection vulnerabilities in Philips Tasy EMR, used by hospitals worldwide appeared first on Information Security Newspaper | Hacking News.


You May Also Like

Two critical code vulnerabilities in a core component of the PHP supply chain repository

SonarSource cybersecurity specialists report the detection of various vulnerabilities in PEAR, a…

Critical vulnerability in WordPress Download Manager affects more than 100k websites

Wordfence specialists discovered a critical vulnerability in Download Manager, one of the…

Kalay cloud platform flaw exposes millions of IoT devices to hack

A critical vulnerability was discovered in the Kalay cloud platform that exposes…

Vulnerability in Linux distributions allows threat actors to escalate privileges

Cybersecurity specialists report the detection of an authentication bypass flaw in the…