Cybersecurity specialists report the detection of two vulnerabilities in Philips Tasy Electronic Medical Record software. According to the report, the successful exploitation of these flaws would lead to the total compromise of the target system.
Below are brief reports of the detected flaws in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-39375: Insufficient disinfection of user-provided data in the “FilterValue” parameter in “WAdvancedFilter/getDimensionItemsByCode” would allow threat actors to send specially crafted requests to the affected application in order to execute arbitrary SQL commands in this application’s database.
The vulnerability received a CVSS score of 9/10 and its successful exploitation would allow access to sensitive information in the system, in addition to allowing hackers near-total control of this implementation.
CVE-2021-39376: On the other hand, this flaw exists due to insufficient disinfection of the data provided by the user in the parameters “IE_CORPO_ASSIST” or “CD_USUARIO_CONVENIO” of “CorCad_F2/executetaConsultaEspecifico”.
Remote threat actors could send specially crafted requests to the affected application in order to execute arbitrary commands.
This vulnerability also received a CVSS score of 9/10 and its successful exploitation will allow access to sensitive information.
According to the report, the flaws found reside in Tasy Electronic Medical Record v3.06.
Both vulnerabilities can be exploited by unauthenticated remote threat actors; however, cybersecurity experts have not detected exploitation attempts in real scenarios. Still, Philips recommends users of affected deployments install the available updates as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
