The Philips Tasy EMR, used by hundreds of hospitals as a medical record solution and healthcare management system, is vulnerable to two critical SQL injection flaws.
The vulnerabilities are tracked as
CVE-2021-39375 and
CVE-2021-39376, and both have a severity score of 8.8 in CVSS v3.
These are SQL injection flaws via two parameters, relying on the improper escaping of special characters in SQL commands.
The affected versions of the product are Tasy EMR HTML5 3.06.1803 and prior, so all organizations using the healthcare suite are urged to upgrade to version 3.06.1804 or later.
CISA has also released an advisory for the product, as it's widely deployed in many public and private health institutes, mainly in Argentina, Brazil, Colombia, Mexico, and the Dominican Republic.
"Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents," warned the
advisory from CISA.
