Skip to main content

CVE-2025-24757: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Long Watch Studio MyRewards

Medium
VulnerabilityCVE-2025-24757cvecve-2025-24757cwe-79
Published: Fri Jul 04 2025 (07/04/2025, 08:42:06 UTC)
Source: CVE Database V5
Vendor/Project: Long Watch Studio
Product: MyRewards

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Long Watch Studio MyRewards allows Stored XSS. This issue affects MyRewards: from n/a through 5.4.13.1.

AI-Powered Analysis

AILast updated: 07/04/2025, 09:14:47 UTC

Technical Analysis

CVE-2025-24757 is a security vulnerability classified as CWE-79, which refers to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This specific vulnerability affects the Long Watch Studio MyRewards product, up to version 5.4.13.1. The flaw allows an attacker to inject malicious scripts that are stored persistently (Stored XSS) within the application. When other users access the affected pages, the malicious script executes in their browsers, potentially compromising their session, stealing credentials, or performing unauthorized actions on their behalf. The vulnerability arises due to insufficient sanitization or encoding of user-supplied input before it is included in web pages generated by the application. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) shows that the attack can be launched remotely over the network with low attack complexity, requires low privileges, and user interaction is needed. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability to a limited extent. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability was reserved in January 2025 and published in July 2025.

Potential Impact

For European organizations using Long Watch Studio MyRewards, this vulnerability poses a significant risk to web application security and user trust. Stored XSS can lead to session hijacking, unauthorized actions, and data theft, potentially exposing sensitive customer or employee information. This can result in regulatory non-compliance, especially under GDPR, due to personal data exposure. The medium severity score suggests that while the vulnerability is not critical, it can still cause meaningful disruption and reputational damage. Attackers exploiting this flaw could target loyalty program users or internal staff, leading to fraud or unauthorized access to rewards data. The requirement for low privileges and user interaction means phishing or social engineering could facilitate exploitation. The scope change indicates that the impact could extend beyond the immediate application, potentially affecting integrated systems or services. Given the lack of known exploits, proactive mitigation is essential to prevent future attacks.

Mitigation Recommendations

Organizations should immediately audit their MyRewards installations to identify affected versions (up to 5.4.13.1). Until an official patch is released, implement strict input validation and output encoding on all user-supplied data, especially in areas where user input is reflected or stored and later rendered in web pages. Employ Content Security Policy (CSP) headers to restrict script execution and reduce XSS impact. Conduct thorough code reviews focusing on input handling and sanitization routines. Educate users to recognize phishing attempts that could trigger malicious payloads. Monitor web application logs for unusual input patterns or script injections. If possible, isolate the MyRewards application environment to limit lateral movement in case of compromise. Once a vendor patch is available, prioritize timely deployment. Additionally, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads specific to this vulnerability. Regularly update and test incident response plans to handle potential exploitation scenarios.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-01-23T14:53:08.866Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 686796cb6f40f0eb729fa54e

Added to database: 7/4/2025, 8:54:35 AM

Last enriched: 7/4/2025, 9:14:47 AM

Last updated: 7/8/2025, 2:24:31 PM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats