Security Affairs
Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Philips Tasy EMR healthcare infomatics solution vulnerable to SQL injection

The Philips Tasy EMR comprehensive healthcare informatics solution is affected by two critical SQL injection vulnerabilities. The Philips Tasy EMR is a comprehensive healthcare informatics solution that is used by thousands of hospitals and healthcare infrastructures, mainly in South America. The product is affected by two critical SQL injection vulnerabilities, tracked as CVE-2021-39375 and CVE-2021-39376 respectively. Both issues […]

Signature Healthcare

The Philips Tasy EMR comprehensive healthcare informatics solution is affected by two critical SQL injection vulnerabilities.

The Philips Tasy EMR is a comprehensive healthcare informatics solution that is used by thousands of hospitals and healthcare infrastructures, mainly in South America. The product is affected by two critical SQL injection vulnerabilities, tracked as CVE-2021-39375 and CVE-2021-39376 respectively.

Both issues affect Tasy EMR HTML5 3.06.1803 version and prior, the company addressed them with the release of version 3.06.1804. The vulnerabilities have received a CVSS v3 severity score of 8.8. The vulnerabilities have been rated as critical because they can be exploited by an attacker to access sensitive medical data, such as patient records and financial data.

Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO and the WAdvancedFilter/getDimensionItemsByCode FilterValue parameters.

Both SQL injection vulnerabilities are caused by the improper escaping of special characters in SQL commands.

“Successful exploitation of these vulnerabilities could result in patient’s confidential data being exposed or extracted from Tasy’s database, give unauthorized access, or create a denial-of-service condition.” reads the advisory published by CISA.

“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents,”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)

[adrotate banner=”5″]

[adrotate banner=”13″]