CVE-2025-24757 is a security vulnerability classified as CWE-79, which refers to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This specific vulnerability affects the Long Watch Studio MyRewards product, up to version 5.4.13.1. The flaw allows an attacker to inject malicious scripts that are stored persistently (Stored XSS) within the application. When other users access the affected pages, the malicious script executes in their browsers, potentially compromising their session, stealing credentials, or performing unauthorized actions on their behalf. The vulnerability arises due to insufficient sanitization or encoding of user-supplied input before it is included in web pages generated by the application. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) shows that the attack can be launched remotely over the network with low attack complexity, requires low privileges, and user interaction is needed. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability to a limited extent. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability was reserved in January 2025 and published in July 2025.

For European organizations using Long Watch Studio MyRewards, this vulnerability poses a significant risk to web application security and user trust. Stored XSS can lead to session hijacking, unauthorized actions, and data theft, potentially exposing sensitive customer or employee information. This can result in regulatory non-compliance, especially under GDPR, due to personal data exposure. The medium severity score suggests that while the vulnerability is not critical, it can still cause meaningful disruption and reputational damage. Attackers exploiting this flaw could target loyalty program users or internal staff, leading to fraud or unauthorized access to rewards data. The requirement for low privileges and user interaction means phishing or social engineering could facilitate exploitation. The scope change indicates that the impact could extend beyond the immediate application, potentially affecting integrated systems or services. Given the lack of known exploits, proactive mitigation is essential to prevent future attacks.

Organizations should immediately audit their MyRewards installations to identify affected versions (up to 5.4.13.1). Until an official patch is released, implement strict input validation and output encoding on all user-supplied data, especially in areas where user input is reflected or stored and later rendered in web pages. Employ Content Security Policy (CSP) headers to restrict script execution and reduce XSS impact. Conduct thorough code reviews focusing on input handling and sanitization routines. Educate users to recognize phishing attempts that could trigger malicious payloads. Monitor web application logs for unusual input patterns or script injections. If possible, isolate the MyRewards application environment to limit lateral movement in case of compromise. Once a vendor patch is available, prioritize timely deployment. Additionally, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads specific to this vulnerability. Regularly update and test incident response plans to handle potential exploitation scenarios.