Hello everyone,
Since yesterday, we have been experiencing a consistent IPS alert from our firewall (XGS Vers. SFOS 20.0.2 MR-2-Build378 ). The affected connection is between our email gateway/proxy in the DMZ and our mail server.
Every 30 minutes, 7 or 8 new IPS alarms pop up, stating: "SERVER-WEBAPP Roundcube Webmail html4inline CVE-2024-42009 Stored Cross-Site Scripting."
However, we are not using Roundcube.
We've also checked our perimeter firewall (located before the XGS) for any noticeable inbound connections towards the mail proxy server but couldn’t find any.
We even disabled the connection from the WAN to the mail proxy, yet the IPS alerts kept appearing.
We haven’t made any configuration changes to our mail server or mail proxy since yesterday.
The alarms started appearing after yesterday’s IPS and application signatures update (18.22.49).
Has anyone else been seeing this alarm since yesterday?
Could it be that Sophos is mistakenly flagging a false positive for this signature after the update?
Edited TAGs
[edited by: Erick Jan at 7:55 AM (GMT -7) on 2 Oct 2024]