Description
An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.
This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control’s behavior.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
CWE-267
CWE-691
CWE-618
Consequences
Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands
Potential Mitigations
Phase: Architecture and Design
Description:
During development, do not mark it as safe for scripting.
Phase: System Configuration
Description:
After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.
CVE References
- CVE-2007-0617
- control allows attackers to add malicious email addresses to bypass spam limits
