The Philips Tasy EMR is a comprehensive healthcare informatics solution that is used by thousands of hospitals and healthcare infrastructures, mainly in South America. The product is affected by two critical SQL injection vulnerabilities, tracked as CVE-2021-39375 and CVE-2021-39376 respectively.
Both issues affect Tasy EMR HTML5 3.06.1803 version and prior, the company addressed them with the release of version 3.06.1804. The vulnerabilities have received a CVSS v3 severity score of 8.8. The vulnerabilities have been rated as critical because they can be exploited by an attacker to access sensitive medical data, such as patient records and financial data.
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO and the WAdvancedFilter/getDimensionItemsByCode FilterValue parameters.
Both SQL injection vulnerabilities are caused by the improper escaping of special characters in SQL commands.
“Successful exploitation of these vulnerabilities could result in patient’s confidential data being exposed or extracted from Tasy’s database, give unauthorized access, or create a denial-of-service condition.” reads the advisory published by CISA.
“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents,”
(SecurityAffairs – hacking, supply chain attack)