PagerDuty Runbook Client-Side Exposure of Stored Secrets Vulnerability

A vulnerability in PagerDuty Runbook, prior to June 12, 2025, allows for the client-side exposure of stored secrets on the configuration page. Although these secrets are displayed as masked password fields, the actual values can be accessed in the page source. By changing the input field type from 'password' to 'text' using browser developer tools, the hidden secrets can be revealed. This issue affects administrative users with access to the configuration page.

Impact

Exploitation of this vulnerability leads to the unauthorized disclosure of sensitive stored secrets, which could be misused by the administrative users who access the configuration page.

Reproduction

To reproduce this vulnerability, an administrative user must access the configuration page of PagerDuty Runbook. Once there, the user can locate the fields that contain the stored secrets, which will appear masked as password inputs. By using browser developer tools to change the input type from 'password' to 'text', the actual secret values can be exposed.