Add WAF virtual patches for CVE-2020-37123, CVE-2022-3236, CVE-2025-10353 and improve CVE-2025-2611 (#1720)

* Add WAF virtual patches for CVE-2020-37123, CVE-2022-3236, CVE-2025-10353 and improve CVE-2025-2611

New rules:
- vpatch-CVE-2020-37123: Pinger 1.0 RCE via unsanitized ping parameter
- vpatch-CVE-2022-3236: Sophos Firewall code injection in User Portal/Webadmin
- vpatch-CVE-2025-10353: Melis Platform unrestricted file upload in CMS Slider

Improved rule:
- vpatch-CVE-2025-2611: ICTBroadcast cookie RCE — switched from COOKIES to
  HEADERS zone, added urldecode transform, broadened regex to catch $() syntax

All rules validated, linted, and tested via Docker harness (403 blocks confirmed).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Update vpatch-CVE-2025-10353.yaml

* Update vpatch-CVE-2025-2611.yaml

* Refactor vpatch-CVE-2025-2611.yaml rules

Removed unnecessary transformations and updated regex values for better matching.

* Add additional metadata to CVE-2025-2611 patch

* Update cookie name in CVE-2025-2611.yaml

* Update CVE-2025-2611.yaml

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: buixor

.appsec-tests/vpatch-CVE-2020-37123/CVE-2020-37123.yaml

@@ -0,0 +1,20 @@
+id: CVE-2020-37123
+info:
+  name: CVE-2020-37123
+  author: crowdsec
+  severity: info
+  description: CVE-2020-37123 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /ping.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        ping=127.0.0.1;echo+test
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/vpatch-CVE-2020-37123/config.yaml

@@ -0,0 +1,4 @@
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2020-37123.yaml
+nuclei_template: CVE-2020-37123.yaml

.appsec-tests/vpatch-CVE-2022-3236/CVE-2022-3236.yaml

@@ -0,0 +1,21 @@
+id: CVE-2022-3236
+info:
+  name: CVE-2022-3236
+  author: crowdsec
+  severity: info
+  description: CVE-2022-3236 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /userportal/Controller HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        X-Requested-With: XMLHttpRequest
+
+        mode=451&json=%7b%22username%22%3a%22admin%22%2c%22password%22%3a%22x%22%2c%22languageid%22%3a%221%22%2c%22browser%22%3a%22Firefox_91%22%2c%22_discriminator%22%3a%7b%22curvalue%22%3a%22%3b%60nc%20example.com%2080%60%22%7d%2c%22value%22%3a%22curvalue%22%7d&__RequestType=ajax&t=1710331582506
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/vpatch-CVE-2022-3236/config.yaml

@@ -0,0 +1,4 @@
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2022-3236.yaml
+nuclei_template: CVE-2022-3236.yaml

.appsec-tests/vpatch-CVE-2025-10353/CVE-2025-10353.yaml

@@ -0,0 +1,29 @@
+id: CVE-2025-10353
+info:
+  name: CVE-2025-10353
+  author: crowdsec
+  severity: info
+  description: CVE-2025-10353 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----crowdsectest
+
+        ------crowdsectest
+        Content-Disposition: form-data; name="mcsdetail_mcslider_id"
+
+        0
+        ------crowdsectest
+        Content-Disposition: form-data; name="mcsdetail_img"; filename="test.php"
+        Content-Type: text/plain
+
+        test
+        ------crowdsectest--
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/vpatch-CVE-2025-10353/config.yaml

@@ -0,0 +1,4 @@
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml
+nuclei_template: CVE-2025-10353.yaml

.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml

@@ -0,0 +1,18 @@
+id: CVE-2025-2611
+info:
+  name: CVE-2025-2611
+  author: crowdsec
+  severity: info
+  description: CVE-2025-2611 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        GET /login.php HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: BROADCAST=`echo${IFS}dGVzdA==|base64${IFS}-d|sh`
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/vpatch-CVE-2025-2611/config.yaml

@@ -0,0 +1,4 @@
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml
+nuclei_template: CVE-2025-2611.yaml

appsec-rules/crowdsecurity/vpatch-CVE-2020-37123.yaml

@@ -0,0 +1,33 @@
+name: crowdsecurity/vpatch-CVE-2020-37123
+description: 'Detects remote code execution via unsanitized ping parameter in Pinger 1.0'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: contains
+          value: '/ping.php'
+      - zones:
+          - BODY_ARGS
+        variables:
+          - ping
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: regex
+          value: '[;|&`$]'
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'Pinger - RCE'
+  classification:
+    - cve.CVE-2020-37123
+    - attack.T1190
+    - cwe.CWE-78

appsec-rules/crowdsecurity/vpatch-CVE-2022-3236.yaml

@@ -0,0 +1,33 @@
+name: crowdsecurity/vpatch-CVE-2022-3236
+description: 'Detects code injection in Sophos Firewall User Portal and Webadmin via JSON parameter'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: regex
+          value: '/(userportal|webconsole)/controller'
+      - zones:
+          - BODY_ARGS
+        variables:
+          - json
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: regex
+          value: '`|\$\('
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'Sophos Firewall - Code Injection'
+  classification:
+    - cve.CVE-2022-3236
+    - attack.T1190
+    - cwe.CWE-94