A dozen vulnerabilities have been found in OpenClinic GA, a popular open source hospital management system, including flaws that can be exploited to access sensitive information or install malware on the hosting server.
OpenClinic GA is described as an “integrated hospital information management system covering management of administrative, financial, clinical, lab, x-ray, pharmacy, meals distribution and other data.” The product is used worldwide and it has been downloaded nearly 120,000 times from SourceForge.
Brian Hysell, a senior consultant at the Synopsys Software Integrity Group, discovered that the software is affected by a dozen vulnerabilities, most of which have been classified as critical or high severity based on their CVSS score. The flaws can be exploited to bypass access controls and account protections, obtain sensitive information, upload and execute arbitrary files, and execute arbitrary code or commands.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an advisory describing the issues identified by Hysell.
The researcher told SecurityWeek that he reported his findings to the vendor, via ICS-CERT, in August 2018. He says he has not communicated directly with the developer, who told ICS-CERT in March 2019 that most of the vulnerabilities had been patched in the latest release. However, communications with the developer were apparently poor and it’s unclear exactly which of the flaws have been patched.
Hysell explained that several of the vulnerabilities could be chained together to allow an attacker who has access to the application via a web browser to conduct various activities, including to view or modify the content of databases (including patient data), or install malware on the server hostin ..
Support the originator by clicking the read the rest link below.
