Description
An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.
This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.
Potential Impact
Confidentiality, Integrity, Availability
Execute Unauthorized Code or Commands
Mitigations & Prevention
During development, do not mark it as safe for scripting.
After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2007-0617 | control allows attackers to add malicious email addresses to bypass spam limits |
| CVE-2007-0219 | web browser uses certain COM objects as ActiveX |
| CVE-2006-6510 | kiosk allows bypass to read files |
Related Weaknesses
Frequently Asked Questions
What is CWE-623?
CWE-623 (Unsafe ActiveX Control Marked Safe For Scripting) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.
How can CWE-623 be exploited?
Attackers can exploit CWE-623 (Unsafe ActiveX Control Marked Safe For Scripting) to execute unauthorized code or commands. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.
How do I prevent CWE-623?
Key mitigations include: During development, do not mark it as safe for scripting.
What is the severity of CWE-623?
CWE-623 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 3 real-world CVEs.