SAP has patched the issue, which affected Electronic Medical Records Unwired Credit: Thinkstock SAP has fixed two flaws in a mobile medical app, one of which could have allowed an attacker to upload fake patient data.The issues were found in SAP’s Electronic Medical Records (EMR) Unwired, which stores clinical data about patients including lab results and images, said Alexander Polyakov, CTO of ERPScan, a company based in Palo Alto, California, that specializes in enterprise application security.Researchers with ERPScan found a local SQL injection flaw that could allow other applications on a mobile device to get access to an EMR Unwired database. That’s not supposed to happen, as mobile applications are usually sandboxed to prevent other applications from accessing their data.“For example, you can upload malware to the phone, and this malware will be able to get access to this embedded database of this health care application,” Polyakov said in a phone interview. They also found another issue in EMR Unwired where an attacker could tamper with a configuration file and then change medical records stored on the server, according to an ERPScan advisory.“You can send fake information about the medical records, so you can imagine what can be done after that,” Polyakov said. “You can say, ‘This patient is not ill’.” SAP fixed both of the issues about a month ago, Polyakov said.The German software giant also fixed another flaw about a week ago found by ERPScan researchers, which affected its Mobile Device Management software, a mobile client that allows access to the company’s other business applications.The issue was a server-side buffer overflow that could cause a denial-of-service attack, according to an advisory. That may not seem serious, but that server software accepts supply-chain reports from the field and is also used by executives to get access to business-critical data, Polyakov said.“If you can disable the mobile server for at least an hour, the supply chain of the company can be stopped, so you can imagine how bad it can be for a company,” Polyakov said.The vulnerability is not remotely exploitable, so an attacker would need to have access to a SAP Mobile Device Management client, he said. But that would be accessible from inside the company and possibly from third-parties, he added.Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe