alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Sitecore Experience Platforms Remote Code Execution (CVE-2023-35813)"; flow:established,to_server; http.uri; content:"/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"; fast_pattern; http.request_body; content:"__PARAMETERS|3d|ParseControl|28|"; pcre:"/^[^\x26\x0d\x0a]*?\x253[cC]\x2525(?:\x25(?:40|23|24))/R"; reference:url,code-white.com/blog/exploiting-asp.net-templateparser-part-1/; reference:cve,2023-35813; classtype:web-application-attack; sid:2061258; rev:1; metadata:affected_product Sitecore_CMS, attack_target Server, created_at 2025_04_03, cve CVE_2023_35813, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)