diff --git a/detection-rules/body_cve_2023_5631.yml b/detection-rules/body_cve_2023_5631.yml new file mode 100644 index 00000000000..71027366f83 --- /dev/null +++ b/detection-rules/body_cve_2023_5631.yml @@ -0,0 +1,24 @@ +name: "Body: CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG" +description: "Body HTML contains an exploit for CVE-2023-5631, a vulnerability in Roundcube Webmail that allows stored XSS via an HTML e-mail message with a crafted SVG document." +references: + - "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/" + - "https://nvd.nist.gov/vuln/detail/CVE-2023-5631" +type: "rule" +severity: "critical" +source: | + type.inbound + and length(attachments) == 0 + and strings.ilike(body.html.raw, '*use href="data:image/svg+xml;base64,PHN2Zy*#*') + and not profile.by_sender().solicited +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Exploit" + - "HTML smuggling" + - "Scripting" +detection_methods: + - "Content analysis" + - "HTML analysis" + - "Sender analysis" +id: "8405d61b-4330-534e-b64c-f98ee15d8767"