Description
Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parameter (line 24), the id parameter (lines 25, 75), and the ptid_key parameter (lines 26, 42) in /substudy/ezform.php. User input is echoed into HTML attributes and JavaScript contexts without encoding.
Published: 2026-06-05
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The damasac thaipalliative_lte web application contains a reflected cross‑site scripting vulnerability that is triggered when an attacker supplies specially crafted input via the idFormMain, id, or ptid_key parameters to the ezform.php script. User input is echoed directly into the page without HTML or JavaScript encoding, permitting arbitrary client‑side code execution within the victim’s browser context. This can be used to hijack sessions, steal cookies, or inject malicious content affecting confidentiality, integrity, and availability. The flaw is a classic instance of CWE‑79 reflected XSS.

Affected Systems

The vulnerable product is damasac thaipalliative_lte, available on GitHub, and affected through version 3.0 or earlier. The issue resides in the /substudy/ezform.php file, where the idFormMain, id, and ptid_key parameters are used without proper sanitization. No other vendors or product versions are listed as affected.

Risk and Exploitability

The flaw can be exploited remotely by constructing URLs or form submissions that include malicious payloads in the idFormMain, id, or ptid_key fields; no authentication is required. With a CVSS score of 6.1 and an EPSS score of less than 1 %, the vulnerability is considered medium severity, and it is not currently listed in CISA’s KEV catalog. The likely attack vector is web‑based input reflection, making the vulnerability a moderate risk for any environment running an unpatched version of the application.

Generated by OpenCVE AI on June 9, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Sanitize and encode all user‑supplied values of idFormMain, id, and ptid_key before rendering them in HTML or JavaScript output, using functions such as htmlspecialchars or a dedicated XSS‑safe rendering library.
  • Implement a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.
  • Upgrade to the latest release of the damasac thaipalliative_lte application once it includes a fix for the XSS flaw; if no newer release is available, manually apply the encoding changes to ezform.php to prevent reflection of unsanitized input.

Generated by OpenCVE AI on June 9, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS in damasac thaipalliative_lte ezform.php via idFormMain, id, and ptid_key Parameters

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Damasac
Damasac thaipalliative Lte
Vendors & Products Damasac
Damasac thaipalliative Lte

Fri, 05 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS in damasac thaipalliative_lte ezform.php via idFormMain, id, and ptid_key Parameters
Weaknesses CWE-79

Fri, 05 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parameter (line 24), the id parameter (lines 25, 75), and the ptid_key parameter (lines 26, 42) in /substudy/ezform.php. User input is echoed into HTML attributes and JavaScript contexts without encoding.
References

Subscriptions

Damasac Thaipalliative Lte
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-09T13:21:04.473Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38579

cve-icon Vulnrichment

Updated: 2026-06-09T13:20:55.456Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T15:16:52.850

Modified: 2026-06-09T14:16:38.647

Link: CVE-2026-38579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T16:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')