The damasac thaipalliative_lte web application contains a reflected cross‑site scripting vulnerability that is triggered when an attacker supplies specially crafted input via the idFormMain, id, or ptid_key parameters to the ezform.php script. The application echoes these parameter values directly back into the page without applying any form of HTML or JavaScript encoding, allowing malicious payloads to execute arbitrary client‑side code with the privileges of the victim’s browser session. Attackers can hijack sessions, steal authentication cookies, or inject phishing content, thereby compromising confidentiality, integrity, and availability. This weakness is exemplified by CWE-79 reflected XSS.

The vulnerable product is damasac thaipalliative_lte, distributed on GitHub and susceptible through version 3.0 or earlier. The flaw resides specifically in the /substudy/ezform.php file, where the idFormMain, id, and ptid_key parameters are used without proper sanitization. No other vendors or product versions are listed as affected.

The flaw can be exploited remotely by crafting URLs or form submissions containing malicious payloads in the idFormMain, id, or ptid_key fields, which are reflected immediately into the client’s browser. No authentication or privileged access is required; any user who visits the vulnerable endpoint is at risk. Because the EPSS score is not available and the issue is not listed in the CISA KEV catalog, the precise likelihood of exploitation is unclear, but XSS remains a common attack surface. The absence of mitigations such as proper encoding or a Content Security Policy makes the vulnerability high‑risk for any environment running an unpatched version of the application.