Healthcare informatics provider Philips recently discovered their solution, Tasy EMR, is susceptible to two SQL injection vulnerabilities. The vulnerabilities are being tracked as CVE-2021-39375 and CVE-2021-39376 and have received a severity score of 8.8. Both bugs affect Tasy EMR HTML5 version 3.06.1803 and prior. Both vulnerabilities are caused by the improper escaping of special characters in SQL commands. A high severity score is likely because of the information that could potentially be exposed if the vulnerabilities were exploited. CISA stated, “Successful exploitation of these vulnerabilities could result in patient’s confidential data being exposed or extracted from Tasy’s database, give unauthorized access, or create a denial-of-service condition.”Philips does not believe the vulnerabilities have been exploited at this time and patient data has not been accessed.
Organizations using Tasy EMR are advised to upgrade their solution to version 3.06.1804 or later immediately to avoid any issues involving these vulnerabilities. If an immediate upgrade is not feasible, companies should take the vulnerable systems offline, use virtual private networks (VPNs) if accessing remotely, and use firewalls to isolate networks.