hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

Add vpatch-CVE-2025-27222 rule and test

Open crowdsec-automation opened this issue 2 months ago • 4 comments

This rule detects path traversal (LFI) attempts in TRUfusion Enterprise's getCobrandingData endpoint. The detection is based on two conditions:

  1. The request URI must contain /trufusionportal/getcobrandingdata (case-insensitive, normalized).
  2. The cobrandingImageName argument in the query string must contain the sequence ../ (after URL decoding and lowercasing), which is a strong indicator of a path traversal attempt.

This approach minimizes false positives by:

  • Targeting only the relevant endpoint and parameter.
  • Looking for the traversal meta-characters rather than specific file paths.
  • Applying lowercase and urldecode transforms to ensure normalization and case insensitivity.

The test configuration uses the original nuclei template's request, but expects a 403 response to confirm the WAF rule is working. All value: fields are lowercase, and the rule uses contains for matching as per best practices. No regex is used where a simple substring match suffices.

crowdsec-automation avatar Oct 15 '25 13:10 crowdsec-automation

Hello @crowdsec-automation and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2025-27222 :red_circle:

github-actions[bot] avatar Oct 15 '25 13:10 github-actions[bot]

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

github-actions[bot] avatar Oct 15 '25 13:10 github-actions[bot]

Hello @seemanne and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2023-0600 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-2009 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-0900 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6623 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23489 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-4634 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23488 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1071 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6567 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6360 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1061 :red_circle:

github-actions[bot] avatar Oct 22 '25 14:10 github-actions[bot]

Hello @seemanne,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

github-actions[bot] avatar Oct 22 '25 14:10 github-actions[bot]

closing in favor of https://github.com/crowdsecurity/hub/pull/1574

seemanne avatar Nov 05 '25 15:11 seemanne