CWE
Home > CWE List > CWE-623 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-623 Individual Dictionary Definition (Draft 9)

Unsafe ActiveX Control Marked Safe For Scripting
Weakness ID
Status: Draft

623 (Weakness Variant)

Description

Summary

An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.

Extended Description

This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.

Weakness Ordinality

Primary (Weakness exists independent of other weaknesses)

Potential Mitigations

During development, do not mark it as safe for scripting.

After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.

Observed Examples
ReferenceDescription
CVE-2007-0617 - add emails to spam whitelist
CVE-2007-0219 - web browser uses certain COM objects as ActiveX
CVE-2006-6510 - kiosk allows bypass to read files
Research Gaps

It is suspected that this is under-reported.

References
Relationships
NatureTypeIDName
ChildOfWeakness BaseWeakness BaseWeakness Base267Privilege Defined With Unsafe Actions
ChildOfWeakness ClassWeakness ClassWeakness Class691Insufficient Control Flow Management
ChildOfWeakness ClassWeakness ClassWeakness Class398Indicator of Poor Code Quality
PeerOfWeakness VariantWeakness VariantWeakness Variant618Exposed Unsafe ActiveX Method
Page Last Updated: April 22, 2008