CWE-623
Unsafe ActiveX Control Marked Safe For Scripting
Draft
2007-05-07
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Unsafe ActiveX Control Marked Safe For Scripting
An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.
Description du CWE
This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control's behavior.
Informations générales
Modes d'introduction
Architecture and DesignImplementation
Plateformes applicables
Langue
Class: Not Language-Specific (Undetermined)Technologies
Class: Web Based (Undetermined)Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Confidentiality Integrity Availability | Execute Unauthorized Code or Commands |
Exemples observés
| Références | Description |
|---|---|
CVE-2007-0617 | control allows attackers to add malicious email addresses to bypass spam limits |
CVE-2007-0219 | web browser uses certain COM objects as ActiveX |
CVE-2006-6510 | kiosk allows bypass to read files |
Mesures d’atténuation potentielles
Phases : Architecture and DesignDuring development, do not mark it as safe for scripting.
Phases : System Configuration
After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Références
REF-503
Developing Secure ActiveX ControlsMicrosoft.
https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN
REF-510
How to stop an ActiveX control from running in Internet ExplorerMicrosoft.
https://support.microsoft.com/en-us/help/240797/how-to-stop-an-activex-control-from-running-in-internet-explorer
REF-7
Writing Secure CodeMichael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
REF-62
The Art of Software Security AssessmentMark Dowd, John McDonald, Justin Schuh.
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | Draft 6 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Description, Relationships, Observed_Example, Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Research_Gaps | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Applicable_Platforms |
