cbcvebase.
CVE-2023-35813
published 2023-06-17

CVE-2023-35813: Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.69%
99.7th percentile
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.

Affected

4 ranges
VendorProductVersion rangeFixed in
sitecoreexperience_commerce8.2 – 10.3
sitecoreexperience_manager8.2 – 10.3
sitecoreexperience_platform8.2 – 10.3
sitecoremanaged_cloud8.2 – 10.3

Detection & IOCsextracted from sources · hover to see the quote

url/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index
path/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Sitecore Experience Platforms Remote Code Execution (CVE-2023-35813)"; flow:established,to_server; http.uri; content:"/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"; fast_pattern; http.request_body; content:"__PARAMETERS|3d|ParseControl|28|"; pcre:"/^[^\x26\x0d\x0a]*?\x253[cC]\x2525(?:\x25(?:40|23|24))/R"; reference:url,code-white.com/blog/exploiting-asp.net-templateparser-part-1/; reference:cve,2023-35813; classtype:web-application-attack; sid:2061258; rev:1; metadata:affected_product Sitecore_CMS, attack_target Server, created_at 2025_04_03, cve CVE_2023_35813, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
__PARAMETERS|3d|ParseControl|28|
bytes
pcre:/^[^\x26\x0d\x0a]*?\x253[cC]\x2525(?:\x25(?:40|23|24))/R
  • Vulnerability probe can be detected by checking for the string 'TestVulnerability' in the Content-Type response header after sending the initial test payload
  • Successful exploitation response contains 'commands', 'command', and 'value' in the body with HTTP 200 status and a reflected string in the Content-Type header
  • Shodan/FOFA fingerprinting: target Sitecore instances can be identified by page title 'Sitecore' before exploitation
  • The exploit is unauthenticated (no session/auth cookies required); any POST to the XAML handler with a crafted __PARAMETERS value should be treated as a high-severity alert
  • ·Affected versions span a wide range: Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release through 10.3 Initial Release; version 8.2 is also impacted

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.