alert smtp any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Roundcube XSS via Malicious XML Attachment (CVE-2020-13965)"; flow:established,to_server; content:"Content-Type|3a 20|text/xml|3b 20|name|3d 22|"; content:".xml|22|"; within:50; content:"Content-Disposition|3a 20|inline|3b 20|filename|3d 22|"; content:".xml|22|"; within:50; content:"|3c|"; distance:0; content:"|3a|script|20|xmlns|3a|"; within:50; fast_pattern; content:"|2f|xhtml|22 3e|"; within:150; content:"|3a|script|3e|"; within:400; reference:url,github.com/mbadanoiu/CVE-2020-13965; reference:cve,2020-13965; classtype:web-application-attack; sid:2059898; rev:1; metadata:affected_product Roundcube, attack_target Web_Server, tls_state plaintext, created_at 2025_02_05, cve CVE_2020_13965, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)