An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.
View on MITREThis might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.
During development, do not mark it as safe for scripting.
After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.
No detection method information available for this CWE.
control allows attackers to add malicious email addresses to bypass spam limits
View DetailsCWE-623: Unsafe ActiveX Control Marked Safe For Scripting is a Common Weakness Enumeration (CWE) entry maintained by MITRE. An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting. This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.
If exploited, CWE-623 (Unsafe ActiveX Control Marked Safe For Scripting) it can compromise Confidentiality, Integrity and Availability, leading to outcomes such as Execute Unauthorized Code or Commands.
Recommended mitigations for CWE-623 include: During development, do not mark it as safe for scripting. After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.
MITRE documents real CVEs mapped to CWE-623, including CVE-2007-0617, CVE-2007-0219 and CVE-2006-6510. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-623 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.