The Linkit ONE Location Aware Sensor System (LASS) contains a reflected cross‑site scripting vulnerability in the PM25.php file that allows remote attackers to inject arbitrary JavaScript into GET parameters such as site, city, district, channel, or apikey. The flaw is classified as CWE‑79, indicating improper validation and escaping of user‑supplied input. Executing arbitrary JavaScript in a victim’s browser can potentially lead to session hijacking, phishing, defacement, or data exfiltration; these outcomes are inferred from typical XSS consequences and are not explicitly stated in the description.

The affected product is LinkItONEDevGroup:Location Aware Sensor System (LASS). Any deployment whose source code is at or before commit f06bd20 (2023‑04‑26) is vulnerable. Versions newer than this commit that include the remediation are not considered affected based on the information available.

The CVSS score for this issue is 5.1, indicating a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to craft a URL containing malicious payloads in the vulnerable query parameters and get the victim to visit that URL. The attack vector is remote, and no authentication is required, so the risk is primarily driven by user interaction with the crafted link.