alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Roundcube Webmail XSS Attempt (CVE-2023-5631)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<html>"; content:"<svg><use href=|22|data:image/"; pcre:"/<svg><use href=|22|data:image\/s[ \t\n]{1,}vg\+xml|2b|base64,/Ri"; content:"|3b|base64"; distance:0; content:"</html>"; distance:0; reference:url,roundcube.net/news/2023/10/16/security-update-1.6.4-released; reference:url,roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15; reference:cve,2023-5631; classtype:attempted-user; sid:2049139; rev:1; metadata:affected_product Roundcube, attack_target Client_Endpoint, created_at 2023_11_08, cve CVE_2023_5631, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag XSS, tag CISA_KEV, updated_at 2023_11_08;)