crowdsecurity · buixor · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/.appsec-tests/vpatch-CVE-2020-37123/CVE-2020-37123.yaml b/.appsec-tests/vpatch-CVE-2020-37123/CVE-2020-37123.yaml
@@ -0,0 +1,20 @@
+id: CVE-2020-37123
+info:
+  name: CVE-2020-37123
+  author: crowdsec
+  severity: info
+  description: CVE-2020-37123 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /ping.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        ping=127.0.0.1;echo+test
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/vpatch-CVE-2020-37123/config.yaml b/.appsec-tests/vpatch-CVE-2020-37123/config.yaml
@@ -0,0 +1,4 @@
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2020-37123.yaml
+nuclei_template: CVE-2020-37123.yaml
diff --git a/.appsec-tests/vpatch-CVE-2022-3236/CVE-2022-3236.yaml b/.appsec-tests/vpatch-CVE-2022-3236/CVE-2022-3236.yaml
@@ -0,0 +1,21 @@
+id: CVE-2022-3236
+info:
+  name: CVE-2022-3236
+  author: crowdsec
+  severity: info
+  description: CVE-2022-3236 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /userportal/Controller HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        X-Requested-With: XMLHttpRequest
+
+        mode=451&json=%7b%22username%22%3a%22admin%22%2c%22password%22%3a%22x%22%2c%22languageid%22%3a%221%22%2c%22browser%22%3a%22Firefox_91%22%2c%22_discriminator%22%3a%7b%22curvalue%22%3a%22%3b%60nc%20example.com%2080%60%22%7d%2c%22value%22%3a%22curvalue%22%7d&__RequestType=ajax&t=1710331582506
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/vpatch-CVE-2022-3236/config.yaml b/.appsec-tests/vpatch-CVE-2022-3236/config.yaml
@@ -0,0 +1,4 @@
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2022-3236.yaml
+nuclei_template: CVE-2022-3236.yaml
diff --git a/.appsec-tests/vpatch-CVE-2025-10353/CVE-2025-10353.yaml b/.appsec-tests/vpatch-CVE-2025-10353/CVE-2025-10353.yaml
@@ -0,0 +1,29 @@
+id: CVE-2025-10353
+info:
+  name: CVE-2025-10353
+  author: crowdsec
+  severity: info
+  description: CVE-2025-10353 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----crowdsectest
+
+        ------crowdsectest
+        Content-Disposition: form-data; name="mcsdetail_mcslider_id"
+
+        0
+        ------crowdsectest
+        Content-Disposition: form-data; name="mcsdetail_img"; filename="test.php"
+        Content-Type: text/plain
+
+        test
+        ------crowdsectest--
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/vpatch-CVE-2025-10353/config.yaml b/.appsec-tests/vpatch-CVE-2025-10353/config.yaml
@@ -0,0 +1,4 @@
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml
+nuclei_template: CVE-2025-10353.yaml
diff --git a/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml b/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml
@@ -0,0 +1,18 @@
+id: CVE-2025-2611
+info:
+  name: CVE-2025-2611
+  author: crowdsec
+  severity: info
+  description: CVE-2025-2611 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        GET /login.php HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: BROADCAST=`echo${IFS}dGVzdA==|base64${IFS}-d|sh`
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/vpatch-CVE-2025-2611/config.yaml b/.appsec-tests/vpatch-CVE-2025-2611/config.yaml
@@ -0,0 +1,4 @@
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml
+nuclei_template: CVE-2025-2611.yaml
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2020-37123.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2020-37123.yaml
@@ -0,0 +1,33 @@
+name: crowdsecurity/vpatch-CVE-2020-37123
+description: 'Detects remote code execution via unsanitized ping parameter in Pinger 1.0'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: contains
+          value: '/ping.php'
+      - zones:
+          - BODY_ARGS
+        variables:
+          - ping
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: regex
+          value: '[;|&`$]'
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'Pinger - RCE'
+  classification:
+    - cve.CVE-2020-37123
+    - attack.T1190
+    - cwe.CWE-78
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2022-3236.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2022-3236.yaml
@@ -0,0 +1,33 @@
+name: crowdsecurity/vpatch-CVE-2022-3236
+description: 'Detects code injection in Sophos Firewall User Portal and Webadmin via JSON parameter'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: regex
+          value: '/(userportal|webconsole)/controller'
+      - zones:
+          - BODY_ARGS
+        variables:
+          - json
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: regex
+          value: '`|\$\('
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'Sophos Firewall - Code Injection'
+  classification:
+    - cve.CVE-2022-3236
+    - attack.T1190
+    - cwe.CWE-94
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml
@@ -0,0 +1,30 @@
+name: crowdsecurity/vpatch-CVE-2025-10353
+description: 'Detects unrestricted file upload in Melis Platform CMS Slider module'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: contains
+          value: '/melis/meliscmsslider/meliscmssliderdetails/savedetailsform'
+      - zones:
+          - FILENAMES
+        transform:
+          - lowercase
+        match:
+          type: regex
+          value: '\.php|\.phtml'
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'Melis Platform - Arbitrary File Upload'
+  classification:
+    - cve.CVE-2025-10353
+    - attack.T1190
+    - cwe.CWE-434
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml
@@ -1,5 +1,5 @@
 name: crowdsecurity/vpatch-CVE-2025-2611
-description: 'Detects command injection in ICTBroadcast via BROADCAST cookie'
+description: 'Detects unauthenticated RCE via session cookie shell injection in ICTBroadcast'
 rules:
   - and:
       - zones:
@@ -29,4 +29,4 @@ labels:
   classification:
     - cve.CVE-2025-2611
     - attack.T1190
-    - cwe.CWE-78
+    - cwe.CWE-78
diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml
@@ -170,6 +170,9 @@ appsec-rules:
 - crowdsecurity/vpatch-CVE-2025-4689
 - crowdsecurity/vpatch-CVE-2026-20127
 - crowdsecurity/vpatch-CVE-2026-20127-dca-disclosure
+- crowdsecurity/vpatch-CVE-2020-37123
+- crowdsecurity/vpatch-CVE-2022-3236
+- crowdsecurity/vpatch-CVE-2025-10353
 author: crowdsecurity
 tags:
   - waf