This vulnerability involves multiple reflected XSS issues in damasac thaipalliative_lte through version 3.0. Specifically, the parameters idFormMain, id, and ptid_key in /substudy/ezform.php are vulnerable because user input is inserted into HTML attributes and JavaScript contexts without encoding or sanitization. This improper handling enables attackers to inject malicious scripts that could execute in the context of a victim's browser. The CVE is published but lacks a CVSS score and no remediation details have been provided.

Successful exploitation could allow remote attackers to execute arbitrary scripts in the context of users visiting the vulnerable web application, potentially leading to session hijacking, defacement, or other client-side attacks. However, no known exploits are reported in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider applying input validation and output encoding on the affected parameters to mitigate reflected XSS risks. Avoiding use of the affected parameters or restricting access to the vulnerable script may reduce exposure.