Healthcare informatics provider Philips recently discovered their solution, Tasy EMR, is susceptible to two SQL injection vulnerabilities. The vulnerabilities are being tracked as CVE-2021-39375 and CVE-2021-39376 and have received a severity score of 8.8. Both bugs affect Tasy EMR HTML5 version 3.06.1803 and prior. Both vulnerabilities are caused by the improper escaping of special characters in SQL commands. A high severity score is likely because of the information that could potentially be exposed if the vulnerabilities were exploited. CISA stated, “Successful exploitation of these vulnerabilities could result in patient’s confidential data being exposed or extracted from Tasy’s database, give unauthorized access, or create a denial-of-service condition.”Philips does not believe the vulnerabilities have been exploited at this time and patient data has not been accessed.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is