3 vulnerabilities classified as CWE-623 (不安全的ActiveX控件被标记为脚本安全). AI Chinese analysis included.
CWE-623 represents a critical configuration weakness where an ActiveX control, originally designed for restricted environments, is incorrectly flagged as safe-for-scripting. This misconfiguration allows malicious web pages to instantiate and execute the control’s functionality without triggering security warnings or requiring explicit user consent. Attackers typically exploit this by embedding the vulnerable control within a compromised website, enabling remote code execution, data exfiltration, or system compromise through the control’s privileged operations. To prevent this vulnerability, developers must rigorously audit component configurations, ensuring that only controls with verified, low-risk behaviors are marked as safe-for-scripting. Furthermore, implementing strict content security policies and disabling unnecessary ActiveX support in browsers can mitigate the attack surface, ensuring that potentially dangerous components remain isolated from untrusted web contexts.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2011-10028 | RealNetworks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution — RealArcade ActiveX | 8.4AI | HighAI | 2025-08-20 |
| CVE-2018-17925 | GE iFIX Gigasoft组件安全漏洞 — iFix | 6.3 | - | 2018-10-10 |
| CVE-2014-2368 | Advantech WebAccess Unsafe ActiveX Control Marked Safe For Scripting — WebAccess | 7.5 | - | 2014-07-19 |
Vulnerabilities classified as CWE-623 (不安全的ActiveX控件被标记为脚本安全) represent 3 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.