CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG

calendar Feb 23, 2024  ·
Share on: linkedin copy

Body HTML contains an exploit for CVE-2023-5631, a vulnerability in Roundcube Webmail that allows stored XSS via an HTML e-mail message with a crafted SVG document.

Sublime rule (View on GitHub)

 1name: "CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG"
 2description: "Body HTML contains an exploit for CVE-2023-5631, a vulnerability in Roundcube Webmail that allows stored XSS via an HTML e-mail message with a crafted SVG document."
 3references:
 4  - "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/"
 5  - "https://nvd.nist.gov/vuln/detail/CVE-2023-5631"
 6type: "rule"
 7severity: "critical"
 8source: |
 9  type.inbound
10  and length(attachments) == 0
11  and strings.ilike(body.html.raw, '*use href="data:image/svg+xml;base64,PHN2Zy*#*')
12  and not profile.by_sender().solicited  
13attack_types:
14  - "Malware/Ransomware"
15tactics_and_techniques:
16  - "Evasion"
17  - "Exploit"
18  - "HTML smuggling"
19  - "Scripting"
20detection_methods:
21  - "Content analysis"
22  - "HTML analysis"
23  - "Sender analysis"
24id: "8405d61b-4330-534e-b64c-f98ee15d8767"
to-top