Skip to content

Releases: ArgusoftOpen/medplat

v2.1.0

Choose a tag to compare

@skhare321 skhare321 released this 17 Jul 10:03
7519788

Subject: Release Note for System Updates - 17/07/2024

Dear Team,
we are thrilled to announce the release of the latest updates for our system, which include NCD Module:

New features:

ASHA Login and CBAC Form Entry
    ASHA workers can log in and access the Community Based Assessment Checklist (CBAC) form.
    Capability to search and select families, view CBAC status, and enter CBAC scores.
    Location access integration and date of service selection for accurate data entry.
    Enhanced question flow based on CBAC scores and specific demographics (e.g., age, gender).

ANM/CHO Login and NCD Screening Form
    ANM/CHO can log in and perform comprehensive NCD screenings.
    Search functionality using family ID, member ID, contact number, or QR code.
    Detailed screening forms for Hypertension, Diabetes, Mental Health, and Cancer (Breast, Cervical, Oral).
    Chronic disease history and treatment details collection.
    Blood sugar measurement and categorization.

NCD Cancer Screening Forms
    Separate forms for Breast Cancer, Cervical Cancer, and Oral Cancer screenings.
    Step-by-step guidance for screening procedures.

MO Login for Referred Patients
    Medical Officers can view and manage patients referred by ANM for further examination.
    Forms for confirmed cases of Hypertension, Diabetes, and Oral Cancer.
    Follow-up and treatment tabs for ongoing patient management.
    Secondary referral tab for referrals to other health facilities.

Highlights

Open Source Application: Released under the Eclipse v2 Open Source License.
Offline Mobile App: Ensures usability in areas with limited internet connectivity.
Integration Capabilities: Integrates with national health portals like NP-NCD, RCH, U-WIN, RBSK, and upcoming integrations with e-Sanjeevini and e-Shusrut.
ABHA Compliance: Compliant with ABHA standards M1, M2, and M3.
Citizens PHR App: Part of the broader ecosystem to enhance patient health records management.
Proven Scalability: Successfully implemented and scaled in various health programs (e.g., RCH, RBSK, Nutrition).

Other Information

Family Folder Basis: Utilizes family folders as the foundation for all vertical programs.
HTA Review: Implementation has undergone Health Technology Assessment (HTA) by the Ministry of Health and Family Welfare.

Security fixes

Choose a tag to compare

@skhare321 skhare321 released this 02 Jan 11:32
b4f8277

Subject: Release Note for System Updates - 02/01/2024

Dear Team,
we are thrilled to announce the release of the latest updates for our system, which include various improvements, bug fixes, and security enhancements to ensure a more robust and secure environment.

Changes:

1. Vulnerable and Outdated Components:

Description :
Vulnerable components, such as libraries, frameworks, and other software modules almost
always run with full privilege. So, if exploited, they can cause serious data loss or server
takeover. Applications using these vulnerable components may undermine their defenses
and enable a range of possible attacks and impacts.

Impact:
The full range of weaknesses is possible, including injection, broken access control, XSS,
etc. The impact could be minimal, up to complete host takeover and data compromise.

Classifications
OWASP Top 10 2021 – A6, CWE-997, CVSS-3.7

Remarks: Successfully updated vulnerable and outdated components underscore.js, jquery, ckeditor, chart.js, bootstrap.

2. Cleartext Transmission of Password:

Description:
The application transmits password in cleartext format over HTTP which is an unencrypted
connection.

Impact:
This vulnerability can result in compromise of user's account and data.

Classifications:
OWASP Top 10 2021 – A2, CWE-319

Remarks:
Using AES-encryption for username and password transmission.

3. Misconfigured CORS

Description:
Many modern websites use CORS to allow access from subdomains and trusted third
parties. Their implementation of CORS may contain mistakes or be overly lenient to ensure
that everything works, and this can result in exploitable vulnerabilities.

Impact:
A CORS misconfiguration can leave the application at a high-risk of compromise resulting
in an impact on the confidentiality and integrity of data by allowing third-party sites to
carry out privileged requests through your web site’s authenticated users such as
retrieving user setting information, etc.

Classifications:
OWASP Top 10 2021 – A5, CWE-942

Remarks: Issue resolved.

4. Source Code Disclosure.

Description:
The application discloses source code to users. Source code is designed to be executed
dynamically on the server, however the application exposes the code to users on the front
end.

Impact:
Source code may contain sensitive information such as database passwords and secret
keys, which may help malicious users formulate attacks against the application.

Classifications:
OWASP Top 10 2021 – A5, CWE-540

Remarks: Resolved.

5. Lack of Security Header Implementation.

Description:
Applications can unintentionally leak information about their configuration, internal
workings, or violate privacy through a variety of application problems. Attackers use this
weakness to steal sensitive data or conduct more serious attacks.

Impact:
Depending on the information, such flaws frequently give attackers unauthorized access
to some system data or functionality. Occasionally, such flaws result in a complete system
compromise.

Classifications:
OWASP Top 10 2021 – A5, CWE-644

Remarks: Added Content security policy, referral policy and permissions policy.

6. Private IP Disclosure

Description:
Discovering the private addresses used within an organization can help an attacker in
carrying out network-layer attacks aiming to penetrate the organization's internal
infrastructure.

Impact:
This information can help an attacker identify other vulnerabilities or help during the
exploitation of other identified vulnerabilities.

Classifications:
OWASP Top 10 2025 – A5, CWE-201

Remarks: Resolved.

7. Sensitive File Disclosure

Description:
Sensitive File Disclosure occurs when an application does not adequately protect sensitive
files. The files (website, PHP info, server status), etc. are exposed without authentication.

Impact:
The sensitive data can be accessed by an attacker and used in casting further attacks.

Classifications:
OWASP Top 10 2021 – A5, CWE-200

Remarks: Resolved by restricting certain URLs.

8. Improper Error Handling

Description:
Applications can unintentionally leak information about their configuration, internal
workings, or violate privacy through a variety of application problems. Attackers use this
weakness to steal sensitive data or conduct more serious attacks.

Impact:
Depending on the information, such flaws frequently give attackers unauthorized access to
some system data or functionality. Occasionally, such flaws result in a complete system
compromise.

Classifications:
OWASP Top 10 2021 – A5, CWE-755,

Remarks: Resolved.

9. Autocomplete enabled in password field.

Description:
Most browsers have a facility to remember user credentials that are entered into HTML
forms. This function can be configured by the user and also by applications that employ user
credentials. If the function is enabled, then credentials entered by the user are stored on
their local computer and retrieved by the browser on future visits to the same application.

Impact:
The stored credentials can be captured by an attacker who gains control over the user's
computer. Further, an attacker who finds a separate application vulnerability such as cross-
site scripting may be able to exploit this to retrieve a user's browser-stored credentials.

Classifications:
OWASP Top 10 2021 – A7, CWE-200

10. SSL/TLS Certificate Support Weak Cipher Algorithms

Description:
The remote host supports the use of SSL ciphers that offer weak encryption, usage of weak
ciphers such as MD5, SHA1, TLS1.0, TLS 1.1 and Cipher Block Chaining (CBC) mode affect
older versions of the protocol (TLSv1.2 and older). The attacker uses MITM to inject packets
into the TLS stream. This allows them to guess the Initialization Vector (IV) used with the
injected message and then simply compare the results to the ones of the block that they
want to decrypt. The server is not configured with support for any modern, secure ciphers
and only supports ciphers known to be weak against attack.

Impact:
This is considerably easier to exploit if the attacker is on the same physical network. An
attacker can decrypt data exchanged between two parties by taking advantage of a
vulnerability in the implementation of the Cipher Block Chaining (CBC) mode in TLS 1.0.

Classifications:
OWASP Top 10 2017 – A6, CWE-327.

Remarks: Resolved.

11. Username Enumeration

Description:
One of the most common and underestimated web application vulnerabilities that is user
enumeration. Simply put, we can figure out a list of valid user accounts that are allowed to
login to an application. This isn’t just assuming there’s a common user called “Admin” and
attempting to guess the password for that account. Instead, this is the ability to compile a
list of valid users based on a flaw in the registration process, login sequence, or password
reset functionality.

Impact:
Although username enumeration is not itself always a high-risk issue, it does provide an
attacker valuable information for other attacks.

Classifications:
OWASP Top 10 2021 – A7, CWE-204

Remarks: Resolved

Medplat DPG

Choose a tag to compare

@skhare321 skhare321 released this 02 Jan 08:39
b4f8277

What's Changed

New Contributors

Full Changelog: https://github.com/ArgusoftOpen/medplat/commits/v2.0.1