Inclusion of Web Functionality from an Untrusted Source

CVE-2025-46652

Medium

6.1/10

Summary

In IZArc through 4.5, there is a Mark-of-the-Web Bypass Vulnerability. When a user performs an extraction from an archive file that bears Mark-of-the-Web, Mark-of-the-Web is not propagated to the extracted files. NOTE: this is disputed because Mark-of-the-Web propagation can increase risk via security-warning habituation, and because the intended control sphere for file-origin metadata (e.g., HostUrl in Zone.Identifier) may be narrower than that for reading the file's content.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: CHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-830 - Inclusion of Web Functionality from an Untrusted Source

The software includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the software, potentially granting total access and control of the software to the untrusted source.

References

Advisory Timeline

Published Apr 26, 2025

Inclusion of Web Functionality from an Untrusted Source

CVE-2025-46652

Summary

CWE-830 - Inclusion of Web Functionality from an Untrusted Source

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS