Releases: ArgusoftOpen/medplat
Release list
v2.1.0
Subject: Release Note for System Updates - 17/07/2024
Dear Team,
we are thrilled to announce the release of the latest updates for our system, which include NCD Module:
New features:
ASHA Login and CBAC Form Entry
ASHA workers can log in and access the Community Based Assessment Checklist (CBAC) form.
Capability to search and select families, view CBAC status, and enter CBAC scores.
Location access integration and date of service selection for accurate data entry.
Enhanced question flow based on CBAC scores and specific demographics (e.g., age, gender).
ANM/CHO Login and NCD Screening Form
ANM/CHO can log in and perform comprehensive NCD screenings.
Search functionality using family ID, member ID, contact number, or QR code.
Detailed screening forms for Hypertension, Diabetes, Mental Health, and Cancer (Breast, Cervical, Oral).
Chronic disease history and treatment details collection.
Blood sugar measurement and categorization.
NCD Cancer Screening Forms
Separate forms for Breast Cancer, Cervical Cancer, and Oral Cancer screenings.
Step-by-step guidance for screening procedures.
MO Login for Referred Patients
Medical Officers can view and manage patients referred by ANM for further examination.
Forms for confirmed cases of Hypertension, Diabetes, and Oral Cancer.
Follow-up and treatment tabs for ongoing patient management.
Secondary referral tab for referrals to other health facilities.
Highlights
Open Source Application: Released under the Eclipse v2 Open Source License.
Offline Mobile App: Ensures usability in areas with limited internet connectivity.
Integration Capabilities: Integrates with national health portals like NP-NCD, RCH, U-WIN, RBSK, and upcoming integrations with e-Sanjeevini and e-Shusrut.
ABHA Compliance: Compliant with ABHA standards M1, M2, and M3.
Citizens PHR App: Part of the broader ecosystem to enhance patient health records management.
Proven Scalability: Successfully implemented and scaled in various health programs (e.g., RCH, RBSK, Nutrition).
Other Information
Family Folder Basis: Utilizes family folders as the foundation for all vertical programs.
HTA Review: Implementation has undergone Health Technology Assessment (HTA) by the Ministry of Health and Family Welfare.
Security fixes
Subject: Release Note for System Updates - 02/01/2024
Dear Team,
we are thrilled to announce the release of the latest updates for our system, which include various improvements, bug fixes, and security enhancements to ensure a more robust and secure environment.
Changes:
1. Vulnerable and Outdated Components:
Description :
Vulnerable components, such as libraries, frameworks, and other software modules almost
always run with full privilege. So, if exploited, they can cause serious data loss or server
takeover. Applications using these vulnerable components may undermine their defenses
and enable a range of possible attacks and impacts.
Impact:
The full range of weaknesses is possible, including injection, broken access control, XSS,
etc. The impact could be minimal, up to complete host takeover and data compromise.
Classifications
OWASP Top 10 2021 – A6, CWE-997, CVSS-3.7
Remarks: Successfully updated vulnerable and outdated components underscore.js, jquery, ckeditor, chart.js, bootstrap.
2. Cleartext Transmission of Password:
Description:
The application transmits password in cleartext format over HTTP which is an unencrypted
connection.
Impact:
This vulnerability can result in compromise of user's account and data.
Classifications:
OWASP Top 10 2021 – A2, CWE-319
Remarks:
Using AES-encryption for username and password transmission.
3. Misconfigured CORS
Description:
Many modern websites use CORS to allow access from subdomains and trusted third
parties. Their implementation of CORS may contain mistakes or be overly lenient to ensure
that everything works, and this can result in exploitable vulnerabilities.
Impact:
A CORS misconfiguration can leave the application at a high-risk of compromise resulting
in an impact on the confidentiality and integrity of data by allowing third-party sites to
carry out privileged requests through your web site’s authenticated users such as
retrieving user setting information, etc.
Classifications:
OWASP Top 10 2021 – A5, CWE-942
Remarks: Issue resolved.
4. Source Code Disclosure.
Description:
The application discloses source code to users. Source code is designed to be executed
dynamically on the server, however the application exposes the code to users on the front
end.
Impact:
Source code may contain sensitive information such as database passwords and secret
keys, which may help malicious users formulate attacks against the application.
Classifications:
OWASP Top 10 2021 – A5, CWE-540
Remarks: Resolved.
5. Lack of Security Header Implementation.
Description:
Applications can unintentionally leak information about their configuration, internal
workings, or violate privacy through a variety of application problems. Attackers use this
weakness to steal sensitive data or conduct more serious attacks.
Impact:
Depending on the information, such flaws frequently give attackers unauthorized access
to some system data or functionality. Occasionally, such flaws result in a complete system
compromise.
Classifications:
OWASP Top 10 2021 – A5, CWE-644
Remarks: Added Content security policy, referral policy and permissions policy.
6. Private IP Disclosure
Description:
Discovering the private addresses used within an organization can help an attacker in
carrying out network-layer attacks aiming to penetrate the organization's internal
infrastructure.
Impact:
This information can help an attacker identify other vulnerabilities or help during the
exploitation of other identified vulnerabilities.
Classifications:
OWASP Top 10 2025 – A5, CWE-201
Remarks: Resolved.
7. Sensitive File Disclosure
Description:
Sensitive File Disclosure occurs when an application does not adequately protect sensitive
files. The files (website, PHP info, server status), etc. are exposed without authentication.
Impact:
The sensitive data can be accessed by an attacker and used in casting further attacks.
Classifications:
OWASP Top 10 2021 – A5, CWE-200
Remarks: Resolved by restricting certain URLs.
8. Improper Error Handling
Description:
Applications can unintentionally leak information about their configuration, internal
workings, or violate privacy through a variety of application problems. Attackers use this
weakness to steal sensitive data or conduct more serious attacks.
Impact:
Depending on the information, such flaws frequently give attackers unauthorized access to
some system data or functionality. Occasionally, such flaws result in a complete system
compromise.
Classifications:
OWASP Top 10 2021 – A5, CWE-755,
Remarks: Resolved.
9. Autocomplete enabled in password field.
Description:
Most browsers have a facility to remember user credentials that are entered into HTML
forms. This function can be configured by the user and also by applications that employ user
credentials. If the function is enabled, then credentials entered by the user are stored on
their local computer and retrieved by the browser on future visits to the same application.
Impact:
The stored credentials can be captured by an attacker who gains control over the user's
computer. Further, an attacker who finds a separate application vulnerability such as cross-
site scripting may be able to exploit this to retrieve a user's browser-stored credentials.
Classifications:
OWASP Top 10 2021 – A7, CWE-200
10. SSL/TLS Certificate Support Weak Cipher Algorithms
Description:
The remote host supports the use of SSL ciphers that offer weak encryption, usage of weak
ciphers such as MD5, SHA1, TLS1.0, TLS 1.1 and Cipher Block Chaining (CBC) mode affect
older versions of the protocol (TLSv1.2 and older). The attacker uses MITM to inject packets
into the TLS stream. This allows them to guess the Initialization Vector (IV) used with the
injected message and then simply compare the results to the ones of the block that they
want to decrypt. The server is not configured with support for any modern, secure ciphers
and only supports ciphers known to be weak against attack.
Impact:
This is considerably easier to exploit if the attacker is on the same physical network. An
attacker can decrypt data exchanged between two parties by taking advantage of a
vulnerability in the implementation of the Cipher Block Chaining (CBC) mode in TLS 1.0.
Classifications:
OWASP Top 10 2017 – A6, CWE-327.
Remarks: Resolved.
11. Username Enumeration
Description:
One of the most common and underestimated web application vulnerabilities that is user
enumeration. Simply put, we can figure out a list of valid user accounts that are allowed to
login to an application. This isn’t just assuming there’s a common user called “Admin” and
attempting to guess the password for that account. Instead, this is the ability to compile a
list of valid users based on a flaw in the registration process, login sequence, or password
reset functionality.
Impact:
Although username enumeration is not itself always a high-risk issue, it does provide an
attacker valuable information for other attacks.
Classifications:
OWASP Top 10 2021 – A7, CWE-204
Remarks: Resolved
Medplat DPG
What's Changed
- first commit project structure by @hmorzariya3 in #1
- removed unused fields by @hmorzariya3 in #2
- fixed initial script sequence issue by @ujadhavargusoft in #3
- Removed the unused features from web. by @devaanshSingh in #5
- add docker and dockercompose file by @nirajldevops in #7
- ui changes for docker by @nirajldevops in #8
- query for systemcode updated by @skhare321 in #6
- fixed need help in system code by @skhare321 in #9
- Fixed the member and family info and also added script for listvalue insertions. by @devaanshSingh in #10
- removed migration related things from cfhc by @ujadhavargusoft in #11
- Edited sample data deletion script by @asurpaithankar in #12
- Added script to update sequences by @asurpaithankar in #13
- Health mapping facility form submission and editing by @skhare321 in #14
- Fix member info issue, family moving and internationalization issue. by @devaanshSingh in #15
- Added dpg documentation file. Refactored features in Health facility mapping by @asurpaithankar in #16
- bugs fixed for last name and user query error by @skhare321 in #17
- UI testing and bug fixing by @skhare321 in #18
- Fixed the healthInfra and other issues. by @devaanshSingh in #19
- fixed health infra crash issue by @ujadhavargusoft in #20
- infinite scroll issue fixed in reports by @skhare321 in #22
- toggle feature removed from mobile management by @skhare321 in #23
- Fix manage wpd form by @asurpaithankar in #24
- Mobile management bug fix by @skhare321 in #25
- Added and fixed the maternal reports. by @devaanshSingh in #26
- abha number and address removed by @skhare321 in #27
- Added an event to update the rch pregnancy analytics data. by @devaanshSingh in #28
- Added timer event history table by @devaanshSingh in #29
- Fixed pnc dynamic form issue. by @devaanshSingh in #30
- Docker compose changes by @hmorzariya3 in #31
- Added child service and familyplanning reports . by @devaanshSingh in #32
- Added event for familyplanning reports and system configurations for events. by @devaanshSingh in #33
- Added medplat logo. Removed soh and soh-staging. by @asurpaithankar in #35
- Fix role assign feature by @asurpaithankar in #37
- Fixed search_path issue in initial docker setup by @asurpaithankar in #38
- cfhc issue resolve by @ujadhavargusoft in #39
- Added docker changes for faster build by @asurpaithankar in #40
- Bug fixes recommended by QA by @devaanshSingh in #41
- Update Dockerfile by @nirajldevops in #34
- Weight box UI issue fix by @ujadhavargusoft in #43
- rch register issue resolved by @ujadhavargusoft in #44
- Docker file fix by @hmorzariya3 in #45
- Fixed the user update issue and the child search not working issue. by @devaanshSingh in #46
- dockerfiles for creating APK file by @hmorzariya3 in #47
- Add final doc by @hmorzariya3 in #48
- Modified dockerfile by @hmorzariya3 in #49
- Add documentation by @asurpaithankar in #50
- fixed location level issue by @ujadhavargusoft in #51
- Refactored commands in documentation by @asurpaithankar in #52
- issue resolved in notifications in your schedule by @ujadhavargusoft in #54
- Refactored Server start stop command documentation by @asurpaithankar in #53
- Optimized Dockerfile.android by @asurpaithankar in #55
- Added meaningful translations from Gujrati to English by @asurpaithankar in #56
- add shell scritp to create new apk every time by @hmorzariya3 in #57
- Fixed the issue in android. by @asurpaithankar in #58
- Fix minor date issues by @asurpaithankar in #59
- Fixed the forgot password flow for dpg and the sd score issue. by @devaanshSingh in #60
- Fixed the change password flow. by @devaanshSingh in #61
- removed code which is not open source from dpg by @ujadhavargusoft in #62
- Remove code which is not open source by @ujadhavargusoft in #63
- Removed close code dependency,Proveded the empty stub for sending the… by @hmorzariya3 in #64
- Removed grunt-karma from package.json by @asurpaithankar in #65
- Resolved xstream security issue by @asurpaithankar in #66
- Updated to npm installation in Dockerfile. by @asurpaithankar in #67
- maven dependencies upgrade by @skhare321 in #68
- npm dependabot alerts resolve by @skhare321 in #69
- angular core update by @skhare321 in #71
- most npm audit vulnarebilities resolved by @skhare321 in #73
- xml2js issue resolved and npm audit alerts reduced to 5 by @skhare321 in #74
- security related issues fixed by @skhare321 in #75
- Security audit related changes by @skhare321 in #76
New Contributors
- @hmorzariya3 made their first contribution in #1
- @ujadhavargusoft made their first contribution in #3
- @devaanshSingh made their first contribution in #5
- @nirajldevops made their first contribution in #7
- @skhare321 made their first contribution in #6
- @asurpaithankar made their first contribution in #12
Full Changelog: https://github.com/ArgusoftOpen/medplat/commits/v2.0.1