CVE-2025-24757: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Long Watch Studio MyRewards
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Long Watch Studio MyRewards allows Stored XSS. This issue affects MyRewards: from n/a through 5.4.13.1.
AI Analysis
Technical Summary
CVE-2025-24757 is a security vulnerability classified as CWE-79, which refers to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This specific vulnerability affects the Long Watch Studio MyRewards product, up to version 5.4.13.1. The flaw allows an attacker to inject malicious scripts that are stored persistently (Stored XSS) within the application. When other users access the affected pages, the malicious script executes in their browsers, potentially compromising their session, stealing credentials, or performing unauthorized actions on their behalf. The vulnerability arises due to insufficient sanitization or encoding of user-supplied input before it is included in web pages generated by the application. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) shows that the attack can be launched remotely over the network with low attack complexity, requires low privileges, and user interaction is needed. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability to a limited extent. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability was reserved in January 2025 and published in July 2025.
Potential Impact
For European organizations using Long Watch Studio MyRewards, this vulnerability poses a significant risk to web application security and user trust. Stored XSS can lead to session hijacking, unauthorized actions, and data theft, potentially exposing sensitive customer or employee information. This can result in regulatory non-compliance, especially under GDPR, due to personal data exposure. The medium severity score suggests that while the vulnerability is not critical, it can still cause meaningful disruption and reputational damage. Attackers exploiting this flaw could target loyalty program users or internal staff, leading to fraud or unauthorized access to rewards data. The requirement for low privileges and user interaction means phishing or social engineering could facilitate exploitation. The scope change indicates that the impact could extend beyond the immediate application, potentially affecting integrated systems or services. Given the lack of known exploits, proactive mitigation is essential to prevent future attacks.
Mitigation Recommendations
Organizations should immediately audit their MyRewards installations to identify affected versions (up to 5.4.13.1). Until an official patch is released, implement strict input validation and output encoding on all user-supplied data, especially in areas where user input is reflected or stored and later rendered in web pages. Employ Content Security Policy (CSP) headers to restrict script execution and reduce XSS impact. Conduct thorough code reviews focusing on input handling and sanitization routines. Educate users to recognize phishing attempts that could trigger malicious payloads. Monitor web application logs for unusual input patterns or script injections. If possible, isolate the MyRewards application environment to limit lateral movement in case of compromise. Once a vendor patch is available, prioritize timely deployment. Additionally, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads specific to this vulnerability. Regularly update and test incident response plans to handle potential exploitation scenarios.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Ireland
CVE-2025-24757: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Long Watch Studio MyRewards
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Long Watch Studio MyRewards allows Stored XSS. This issue affects MyRewards: from n/a through 5.4.13.1.
AI-Powered Analysis
Technical Analysis
CVE-2025-24757 is a security vulnerability classified as CWE-79, which refers to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This specific vulnerability affects the Long Watch Studio MyRewards product, up to version 5.4.13.1. The flaw allows an attacker to inject malicious scripts that are stored persistently (Stored XSS) within the application. When other users access the affected pages, the malicious script executes in their browsers, potentially compromising their session, stealing credentials, or performing unauthorized actions on their behalf. The vulnerability arises due to insufficient sanitization or encoding of user-supplied input before it is included in web pages generated by the application. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) shows that the attack can be launched remotely over the network with low attack complexity, requires low privileges, and user interaction is needed. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability to a limited extent. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability was reserved in January 2025 and published in July 2025.
Potential Impact
For European organizations using Long Watch Studio MyRewards, this vulnerability poses a significant risk to web application security and user trust. Stored XSS can lead to session hijacking, unauthorized actions, and data theft, potentially exposing sensitive customer or employee information. This can result in regulatory non-compliance, especially under GDPR, due to personal data exposure. The medium severity score suggests that while the vulnerability is not critical, it can still cause meaningful disruption and reputational damage. Attackers exploiting this flaw could target loyalty program users or internal staff, leading to fraud or unauthorized access to rewards data. The requirement for low privileges and user interaction means phishing or social engineering could facilitate exploitation. The scope change indicates that the impact could extend beyond the immediate application, potentially affecting integrated systems or services. Given the lack of known exploits, proactive mitigation is essential to prevent future attacks.
Mitigation Recommendations
Organizations should immediately audit their MyRewards installations to identify affected versions (up to 5.4.13.1). Until an official patch is released, implement strict input validation and output encoding on all user-supplied data, especially in areas where user input is reflected or stored and later rendered in web pages. Employ Content Security Policy (CSP) headers to restrict script execution and reduce XSS impact. Conduct thorough code reviews focusing on input handling and sanitization routines. Educate users to recognize phishing attempts that could trigger malicious payloads. Monitor web application logs for unusual input patterns or script injections. If possible, isolate the MyRewards application environment to limit lateral movement in case of compromise. Once a vendor patch is available, prioritize timely deployment. Additionally, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads specific to this vulnerability. Regularly update and test incident response plans to handle potential exploitation scenarios.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-01-23T14:53:08.866Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686796cb6f40f0eb729fa54e
Added to database: 7/4/2025, 8:54:35 AM
Last enriched: 7/4/2025, 9:14:47 AM
Last updated: 7/8/2025, 2:24:31 PM
Views: 3
Related Threats
CVE-2025-7525: Command Injection in TOTOLINK T6
MediumCVE-2025-7524: Command Injection in TOTOLINK T6
MediumCVE-2025-7012: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Cato Networks Cato Client
HighCVE-2025-7523: XML External Entity Reference in Jinher OA
MediumCVE-2025-7522: SQL Injection in PHPGurukul Vehicle Parking Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.