CWE-623: Unsafe ActiveX Control Marked Safe For Scripting
Export to Word
Description
An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.
Extended Description
This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.
ThreatScore
Threat Mapped score: 0.0
Industry: Finiancial
Threat priority: Unclassified
Observed Examples (CVEs)
CVE:
CVE-2007-0617
control allows attackers to add malicious email addresses to bypass spam limits
CVE:
CVE-2007-0219
web browser uses certain COM objects as ActiveX
CVE:
CVE-2006-6510
kiosk allows bypass to read files
Related Attack Patterns (CAPEC)
N/A
Attack TTPs
N/A
Modes of Introduction
Phase
Note
Architecture and Design
N/A
Implementation
N/A
Common Consequences
Impact: Execute Unauthorized Code or Commands — Notes:
Potential Mitigations
Architecture and Design : During development, do not mark it as safe for scripting. (N/A)System Configuration : After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer. (N/A)
Applicable Platforms
Demonstrative Examples
N/A
Notes
← Back to CWE list
© BrownCoat Threat Intelligence Platform | 2025 Steve Gray — You Can’t Take the Sky from Me