CVE-2023-35813
published 2023-06-17CVE-2023-35813: Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.69%
99.7th percentile
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sitecore | experience_commerce | 8.2 – 10.3 | — |
| sitecore | experience_manager | 8.2 – 10.3 | — |
| sitecore | experience_platform | 8.2 – 10.3 | — |
| sitecore | managed_cloud | 8.2 – 10.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Sitecore Experience Platforms Remote Code Execution (CVE-2023-35813)"; flow:established,to_server; http.uri; content:"/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"; fast_pattern; http.request_body; content:"__PARAMETERS|3d|ParseControl|28|"; pcre:"/^[^\x26\x0d\x0a]*?\x253[cC]\x2525(?:\x25(?:40|23|24))/R"; reference:url,code-white.com/blog/exploiting-asp.net-templateparser-part-1/; reference:cve,2023-35813; classtype:web-application-attack; sid:2061258; rev:1; metadata:affected_product Sitecore_CMS, attack_target Server, created_at 2025_04_03, cve CVE_2023_35813, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
__PARAMETERS|3d|ParseControl|28|
bytes
pcre:/^[^\x26\x0d\x0a]*?\x253[cC]\x2525(?:\x25(?:40|23|24))/R
- →Vulnerability probe can be detected by checking for the string 'TestVulnerability' in the Content-Type response header after sending the initial test payload ↗
- →Successful exploitation response contains 'commands', 'command', and 'value' in the body with HTTP 200 status and a reflected string in the Content-Type header
- →Shodan/FOFA fingerprinting: target Sitecore instances can be identified by page title 'Sitecore' before exploitation
- →The exploit is unauthenticated (no session/auth cookies required); any POST to the XAML handler with a crafted __PARAMETERS value should be treated as a high-severity alert
- ·Affected versions span a wide range: Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release through 10.3 Initial Release; version 8.2 is also impacted ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q6mf-24rq-66wc: Multiple Sitecore products allow remote code execution
ghsa_unreviewed·2023-06-18
CVE-2023-35813 [CRITICAL] CWE-94 GHSA-q6mf-24rq-66wc: Multiple Sitecore products allow remote code execution
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
VulnCheck
Experience Manager, Experience Platform, and Experience Commerce Remote Code Execution
vulncheck·2023·CVSS 9.8
CVE-2023-35813 [CRITICAL] Experience Manager, Experience Platform, and Experience Commerce Remote Code Execution
Experience Manager, Experience Platform, and Experience Commerce Remote Code Execution
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
Affected: Sitecore experience_commerce
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2023-35813; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&vulnerability=cve-2023-35813; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?d
Suricata
ET WEB_SPECIFIC_APPS Sitecore Experience Platforms Remote Code Execution (CVE-2023-35813)
suricata·2025-04-03·CVSS 9.8
CVE-2023-35813 [CRITICAL] ET WEB_SPECIFIC_APPS Sitecore Experience Platforms Remote Code Execution (CVE-2023-35813)
ET WEB_SPECIFIC_APPS Sitecore Experience Platforms Remote Code Execution (CVE-2023-35813)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Sitecore Experience Platforms Remote Code Execution (CVE-2023-35813)"; flow:established,to_server; http.uri; content:"/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"; fast_pattern; http.request_body; content:"__PARAMETERS|3d|ParseControl|28|"; pcre:"/^[^\x26\x0d\x0a]*?\x253[cC]\x2525(?:\x25(?:40|23|24))/R"; reference:url,code-white.com/blog/exploiting-asp.net-templateparser-part-1/; reference:cve,2023-35813; classtype:web-application-attack; sid:2061258; rev:1; metadata:affected_product Sitecore_CMS, attack_target Server, created_at 2025_04_03, cve CVE_2023_35813, deployment Perimeter, deployment Internal,
Exploit-DB
Sitecore - Remote Code Execution v8.2
exploitdb·2024-03-11·CVSS 9.8
CVE-2023-35813 [CRITICAL] Sitecore - Remote Code Execution v8.2
Sitecore - Remote Code Execution v8.2
---
#!/usr/bin/env python3
#
# Exploit Title: Sitecore - Remote Code Execution v8.2
# Exploit Author: abhishek morla
# Google Dork: N/A
# Date: 2024-01-08
# Vendor Homepage: https://www.sitecore.com/
# Software Link: https://dev.sitecore.net/
# Version: 10.3
# Tested on: windows64bit / mozila firefox
# CVE : CVE-2023-35813
# The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted
# Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09
# Video POC : https://youtu.be/vWKl9wgdTB0
import argparse
import requests
from urllib.parse import quote
from rich.console import Console
console = Console(
Nuclei
Sitecore - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-35813 [CRITICAL] Sitecore - Remote Code Execution
Sitecore - Remote Code Execution
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
Template:
id: CVE-2023-35813
info:
name: Sitecore - Remote Code Execution
author: DhiyaneshDk,iamnoooob
severity: critical
description: |
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
impact: |
Unauthenticated attackers can execute arbitrary code on Sitecore servers through the XAML parser by injecting malicious ASP.NET markup, potentially compromising the entire content management system and accessing sensitive customer data.
remediation: |
Apply Sitecore security patches as outlined in KB1002979 for Experi
No writeups or analysis indexed.
2023-06-17
Published
Exploited in the wild