Security News > 2020 > July > Vulnerabilities in Popular Open Source Management Tool Expose Hospitals to Attacks
A dozen vulnerabilities have been found in OpenClinic GA, a popular open source hospital management system, including flaws that can be exploited to access sensitive information or install malware on the hosting server.
OpenClinic GA is described as an "Integrated hospital information management system covering management of administrative, financial, clinical, lab, x-ray, pharmacy, meals distribution and other data." The product is used worldwide and it has been downloaded nearly 120,000 times from SourceForge.
Hysell explained that several of the vulnerabilities could be chained together to allow an attacker who has access to the application via a web browser to conduct various activities, including to view or modify the content of databases, or install malware on the server hosting OpenClinic GA, which can allow the attacker to move deeper into the targeted organization's network.
"Other bugs in the application's session management allowed attackers to bypass login entirely; they could only access certain portions of the application, but crucially, those included that same SQL query panel," he added.
The researcher says it might be possible to exploit some of the vulnerabilities directly from the internet if an organization has configured the application to be remotely accessible.
News URL
Related news
- Researchers Uncover Vulnerabilities in Open-Source AI and ML Models (source)
- How open-source MDM solutions simplify cross-platform device management (source)
- OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution (source)
- Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects (source)
- VPN vulnerabilities, weak credentials fuel ransomware attacks (source)
- Ransom gang claims attack on NHS Alder Hey Children's Hospital (source)
- Keycloak: Open-source identity and access management (source)
- Evilginx: Open-source man-in-the-middle attack framework (source)