CVE-2025-24757 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the Long Watch Studio MyRewards application up to version 5.4.13.1. Stored XSS occurs when malicious input is improperly neutralized and then persistently stored by the application, later being served to users without adequate sanitization or encoding. This vulnerability allows an attacker with at least low privileges (PR:L) and requiring user interaction (UI:R) to inject malicious scripts into web pages generated by MyRewards. The CVSS 3.1 base score of 6.5 reflects a medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), and scope change (S:C), indicating that exploitation can affect components beyond the initially vulnerable module. Successful exploitation can lead to partial compromise of confidentiality, integrity, and availability of the affected system, such as session hijacking, defacement, or unauthorized actions performed on behalf of legitimate users. The vulnerability is particularly concerning because the scope is changed, meaning the impact extends beyond the vulnerable component, potentially affecting other parts of the system or connected services. No known exploits are currently reported in the wild, and no patches have been linked yet, suggesting that organizations using MyRewards should prioritize monitoring and prepare for remediation once patches become available.

For European organizations using Long Watch Studio MyRewards, this vulnerability poses a significant risk to the security of customer loyalty and rewards data, which often includes personally identifiable information (PII). Exploitation could lead to unauthorized access to user accounts, manipulation of reward balances, or injection of malicious content affecting end-users and internal staff. Given the GDPR regulations in Europe, any data breach or unauthorized data manipulation could result in substantial legal and financial penalties. Additionally, the reputational damage from a successful XSS attack could erode customer trust and impact business continuity. The scope change in the vulnerability means that the impact could extend to other integrated systems or services, increasing the potential damage. Organizations in sectors such as retail, hospitality, or any customer-facing services that rely on MyRewards for loyalty programs are particularly at risk. The requirement for user interaction means phishing or social engineering could be used to trigger the exploit, increasing the attack surface.

European organizations should implement a multi-layered mitigation strategy beyond generic advice: 1) Apply input validation and output encoding rigorously on all user-supplied data, especially in areas where MyRewards generates web pages. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 3) Monitor and audit logs for unusual activities or attempts to inject scripts, focusing on user-generated content fields. 4) Restrict privileges to the minimum necessary for users interacting with MyRewards to reduce the potential for exploitation. 5) Prepare for rapid deployment of patches from Long Watch Studio once available, including testing in staging environments to avoid operational disruptions. 6) Educate users and administrators about the risks of phishing and social engineering that could trigger the stored XSS. 7) Consider implementing Web Application Firewalls (WAF) with rules tuned to detect and block XSS payloads specific to MyRewards. 8) Conduct regular security assessments and penetration testing focusing on input sanitization and stored XSS vectors within MyRewards deployments.