CWE-623: Unsafe ActiveX Control Marked Safe For Scripting
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.
扩展描述
This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.
常见后果
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Code or Commands
潜在缓解措施
阶段: Architecture and Design
描述: During development, do not mark it as safe for scripting.
阶段: System Configuration
描述: After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.
观察示例
参考: CVE-2007-0617
control allows attackers to add malicious email addresses to bypass spam limits
参考: CVE-2007-0219
web browser uses certain COM objects as ActiveX
参考: CVE-2006-6510
kiosk allows bypass to read files
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |