CVE-2025-52493
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pagerduty | pagerduty | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in PagerDuty Runbook allows stored secrets to be exposed directly in the webpage DOM on the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by changing the input field type from "password" to "text" using browser developer tools. This can be exploited by administrative users who have access to the configuration page.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive secrets if an administrative user with access to the configuration page intentionally or accidentally reveals the stored secrets. This could compromise security by exposing credentials or other confidential information stored in the configuration.
What immediate steps should I take to mitigate this vulnerability?
Since the vulnerability exposes stored secrets in the webpage DOM on the configuration page accessible by administrative users, immediate mitigation steps include restricting administrative access to the configuration page, avoiding use of the affected PagerDuty Runbook versions through 2025-06-12, and monitoring for updates or patches from PagerDuty to fix this issue. Additionally, educate administrators to avoid revealing password fields by modifying input types in browser developer tools.