Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Roundcube webmail cross-site-scripting attempt

Rule Explanation

This event is generated when an smtp file triggers a cross site scripting event in a Roundcube webmail server. Impact: Attempted User Privilege Gain Details: Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Rule Vulnerability

CVE Additional Information

CVE-2018-19206
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
Details
Severity Base Score6.1
Impact Score2.7 Exploit Score2.8
Confidentiality ImpactLOW Integrity ImpactLOW
Availability ImpactNONE Attack VectorNETWORK
ScopeCHANGED User InteractionREQUIRED
Authentication Ease of AccessLOW
Privileges RequiredNONE