The Philips Tasy EMR, used by hundreds of hospitals as a medical record solution and healthcare management system, is vulnerable to two critical SQL injection flaws.
The vulnerabilities are tracked as CVE-2021-39375 and CVE-2021-39376, and both have a severity score of 8.8 in CVSS v3.
These are SQL injection flaws via two parameters, relying on the improper escaping of special characters in SQL commands.
The affected versions of the product are Tasy EMR HTML5 3.06.1803 and prior, so all organizations using the healthcare suite are urged to upgrade to version 3.06.1804 or later.
CISA has also released an advisory for the product, as it’s widely deployed in many public and private health institutes, mainly in Argentina, Brazil, Colombia, Mexico, and the Dominican Republic.