Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Roundcube webmail cross-site-scripting attempt

Rule Explanation

This event is generated when an smtp file triggers a cross site scripting event in a Roundcube webmail server. Impact: Attempted User Privilege Gain Details: Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives


Cisco Talos Intelligence Group

MITRE ATT&CK Framework



For reference, see the MITRE ATT&CK vulnerability types here:


Rule Vulnerability

CVE Additional Information

steps/mail/ in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
Severity Base Score6.1
Impact Score2.7 Exploit Score2.8
Confidentiality ImpactLOW Integrity ImpactLOW
Availability ImpactNONE Attack VectorNETWORK
ScopeCHANGED User InteractionREQUIRED
Authentication Ease of AccessLOW
Privileges RequiredNONE