From f8375e57bfad50d6b2d242c7d2c58bc846b96ef4 Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Wed, 25 Oct 2023 21:39:23 +0000 Subject: [PATCH] Sync from PR#881 New rule: body_cve_2023_5631.yml by @aidenmitchell https://github.com/sublime-security/sublime-rules/pull/881 Source SHA 9123fec1b8179a7f37f69e16c37acbee7eeb8b41 Triggered by @aidenmitchell --- detection-rules/body_cve_2023_5631.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 detection-rules/body_cve_2023_5631.yml diff --git a/detection-rules/body_cve_2023_5631.yml b/detection-rules/body_cve_2023_5631.yml new file mode 100644 index 00000000000..dae2acb39c2 --- /dev/null +++ b/detection-rules/body_cve_2023_5631.yml @@ -0,0 +1,26 @@ +name: "Body: CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG" +description: "Body HTML contains an exploit for CVE-2023-5631, a vulnerability in Roundcube Webmail that allows stored XSS via an HTML e-mail message with a crafted SVG document." +references: + - "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/" + - "https://nvd.nist.gov/vuln/detail/CVE-2023-5631" +type: "rule" +severity: "critical" +source: | + type.inbound + and length(attachments) == 0 + and strings.ilike(body.html.raw, '*use href="data:image/svg+xml;base64,PHN2Zy*#*') + and not profile.by_sender().solicited +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Exploit" + - "HTML smuggling" + - "Scripting" +detection_methods: + - "Content analysis" + - "HTML analysis" + - "Sender analysis" +id: "8405d61b-4330-534e-b64c-f98ee15d8767" +testing_pr: 881 +testing_sha: 9123fec1b8179a7f37f69e16c37acbee7eeb8b41