MEDIUM 6.1

CVE-2026-38579: Reflected XSS in Damasac Thaipalliative LTE – Security Alert

Damasac Thaipalliative LTE through version 3.0 contains multiple reflected cross-site scripting (XSS) vulnerabilities that allow attackers to inject malicious scripts into web pages viewed by users. The flaws exist in the /substudy/ezform.php file where user-supplied values are directly inserted into HTML without proper sanitization. An attacker can craft a malicious URL and trick a user into clicking it, causing arbitrary JavaScript to execute in that user's browser within the context of the vulnerable application.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parameter (line 24), the id parameter (lines 25, 75), and the ptid_key parameter (lines 26, 42) in /substudy/ezform.php. User input is echoed into HTML attributes and JavaScript contexts without encoding.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from unsafe reflection of user input in three separate parameters: idFormMain (line 24), id (lines 25 and 75), and ptid_key (lines 26 and 42) within /substudy/ezform.php. User-supplied values are echoed directly into HTML attributes and JavaScript contexts without encoding or validation. This allows attackers to break out of the intended context and inject arbitrary HTML or script tags. The reflected nature means each attack requires the victim to visit an attacker-crafted URL, but no authentication is required to craft or distribute such URLs.

Business impact

Reflected XSS vulnerabilities in healthcare or clinical applications pose significant operational and compliance risks. Attackers could hijack user sessions, redirect patients or clinicians to malicious sites, capture sensitive healthcare data entered into forms, or deface the application interface. For a palliative care system, such attacks could undermine trust in the platform and potentially interfere with patient care coordination. HIPAA and similar healthcare regulations may impose breach notification and audit requirements if patient data is compromised through exploitation.

Affected systems

Damasac Thaipalliative LTE versions up to and including 3.0 are affected. The vulnerability is specific to the /substudy/ezform.php endpoint and the three parameters mentioned. Organizations using this application should verify their installed version against the vendor's advisory to confirm whether they are running a vulnerable build.

Exploitability

Exploitation requires user interaction—the victim must click a malicious link or visit an attacker-controlled page that frames the vulnerable URL. No special privileges are needed on the attacker side, and no interaction with the application is required beyond crafting the URL. Network accessibility is unrestricted (AV:N). The low attack complexity (AC:L) and lack of privilege requirements make this relatively straightforward to exploit once a victim is targeted. However, the requirement for user action (UI:R) provides a modest friction point.

Remediation

Organizations should immediately upgrade damasac Thaipalliative LTE to a patched version released after 3.0. Verify the exact patch version and availability in the vendor's security advisory or release notes. If immediate patching is not possible, implement input validation and output encoding at the application level: ensure all user input from idFormMain, id, and ptid_key parameters is validated against a whitelist and encoded before being reflected in HTML or JavaScript contexts.

Patch guidance

Consult the damasac vendor advisory for the specific patched version addressing CVE-2026-38579. Upgrade damasac Thaipalliative LTE to the recommended version and validate the fix by testing that the idFormMain, id, and ptid_key parameters no longer reflect unencoded user input. After patching, review application logs for any evidence of prior exploitation attempts, particularly URLs with script tags or encoded payloads in those parameters.

Detection guidance

Monitor HTTP request logs to /substudy/ezform.php for suspicious patterns in the idFormMain, id, and ptid_key parameters, such as script tags (<script>), event handlers (onerror=, onload=), or URL-encoded equivalents (%3Cscript%3E, etc.). Web application firewalls and intrusion detection systems should be configured to block requests containing common XSS payloads targeting these parameters. Additionally, review browser console logs on client systems and check for unexpected JavaScript execution or network requests originating from the application.

Why prioritize this

Although the CVSS score is MEDIUM (6.1), the context matters significantly. Reflected XSS in a healthcare application warrants above-baseline prioritization because (1) patient and clinician data sensitivity is high, (2) compliance implications are substantial, (3) user interaction is common in clinical workflows (users do click links and share data), and (4) the exploit requires no special privilege or complexity. This should be elevated in your backlog, especially if your environment has external-facing instances or high user traffic.

Risk score, explained

CVSS 3.1 score of 6.1 reflects network accessibility (AV:N), low attack complexity (AC:L), no authentication required (PR:N), and limited impact—confidentiality and integrity are partial (C:L, I:L) because the attacker controls only what the victim's browser renders and submits, not backend data. The cross-site scope (S:C) increases the score slightly. No availability impact (A:N) is assigned because XSS does not directly crash services. The user interaction requirement (UI:R) moderates the final score. In practice, the business context (healthcare) and ease of weaponizing XSS suggest treating this as higher priority than the score alone suggests.

Frequently asked questions

Can an attacker exploit this vulnerability without user interaction?

No. This is a reflected XSS, which requires the user to click a malicious link or visit an attacker-controlled page that triggers the vulnerable endpoint. The attacker cannot directly execute code on the server or in a user's browser without this social engineering element.

What data can an attacker steal if they successfully exploit this?

An attacker can access anything visible to the logged-in user within the application, including form data, session cookies, and potentially other sensitive information on the page. In a healthcare context, this could include patient identifiers, clinical notes, or other PHI. The actual impact depends on what data the affected page and the user's session have access to.

Is there a patch available yet?

Check the damasac vendor security advisory and release notes for the availability of patched versions. The vulnerability was published on 2026-06-05. If no patch is available from the vendor, implement compensating controls such as input validation, output encoding, and web application firewall rules to block known XSS payloads until a patch is released.

Why does this affect multiple parameters in the same file?

The developers likely used a pattern where user input from multiple sources (idFormMain, id, ptid_key) was reflected into HTML or JavaScript without a centralized encoding function. This is a common anti-pattern in legacy or rapidly developed applications. A single fix—implementing output encoding before all user input is reflected—would address all three parameters.

This analysis is based on publicly available information as of the publication date. Patch availability and version numbers should be verified against the damasac vendor advisory. Organizations should conduct their own risk assessment based on their specific deployment, data sensitivity, and exposure. This content is provided for informational purposes and does not constitute legal or compliance advice. Always consult your security team and vendor documentation before implementing mitigations. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).