sublimecriticalRule

CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG

Body HTML contains an exploit for CVE-2023-5631, a vulnerability in Roundcube Webmail that allows stored XSS via an HTML e-mail message with a crafted SVG document.

MITRE ATT&CK

T1566.001 T1204.002 T1486 T1036 T1027 T1190 T1203 T1059

defense-evasionexecution

Detection Query

type.inbound
and length(attachments) == 0
and strings.ilike(body.html.raw,
                  '*use href="data:image/svg+xml;base64,PHN2Zy*#*'
)
and not profile.by_sender().solicited

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

Raw Content

name: "CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG"
description: "Body HTML contains an exploit for CVE-2023-5631, a vulnerability in Roundcube Webmail that allows stored XSS via an HTML e-mail message with a crafted SVG document."
references:
  - "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/"
  - "https://nvd.nist.gov/vuln/detail/CVE-2023-5631"
type: "rule"
severity: "critical"
source: |
  type.inbound
  and length(attachments) == 0
  and strings.ilike(body.html.raw,
                    '*use href="data:image/svg+xml;base64,PHN2Zy*#*'
  )
  and not profile.by_sender().solicited
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Exploit"
  - "HTML smuggling"
  - "Scripting"
detection_methods:
  - "Content analysis"
  - "HTML analysis"
  - "Sender analysis"
id: "8405d61b-4330-534e-b64c-f98ee15d8767"