CWE-623: Unsafe ActiveX Control Marked Safe For Scripting

VariantDraft

An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.

View on MITRE
Back to CWE Lookup

Extended Description

This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.

Technical Details

Structure
Simple

Applicable To

Languages
Platforms

Frequently Asked Questions

What is CWE-623: Unsafe ActiveX Control Marked Safe For Scripting?+

CWE-623: Unsafe ActiveX Control Marked Safe For Scripting is a Common Weakness Enumeration (CWE) entry maintained by MITRE. An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting. This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.

What are the security consequences of Unsafe ActiveX Control Marked Safe For Scripting?+

If exploited, CWE-623 (Unsafe ActiveX Control Marked Safe For Scripting) it can compromise Confidentiality, Integrity and Availability, leading to outcomes such as Execute Unauthorized Code or Commands.

How do you prevent or mitigate Unsafe ActiveX Control Marked Safe For Scripting?+

Recommended mitigations for CWE-623 include: During development, do not mark it as safe for scripting. After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.

What are real-world examples of Unsafe ActiveX Control Marked Safe For Scripting?+

MITRE documents real CVEs mapped to CWE-623, including CVE-2007-0617, CVE-2007-0219 and CVE-2006-6510. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-623 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More