alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Suspected cPanel XSS Exploit Activity (CVE-2023-29489)"; flow:established; http.uri; content:"/cpanelwebcall/"; nocase; fast_pattern; startswith; content:"onerror=|22|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.assetnote.io/2023/04/26/xss-million-websites-cpanel/; reference:url,forums.cpanel.net/threads/cpanel-tsr-2023-0001-full-disclosure.708949/; reference:cve,2023-29489; classtype:attempted-admin; sid:2045629; rev:1; metadata:attack_target Web_Server, created_at 2023_05_10, cve CVE_2023_29489, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_10; target:dest_ip;)