hub Add vpatch-CVE-2019-9621 rule and test

This rule targets exploitation attempts of CVE-2019-9621 in Zimbra Collaboration Suite, where attackers leverage XML External Entity (XXE) injection via the /autodiscover endpoint. The detection logic is as follows:

The first rule ensures the request is made to the /autodiscover endpoint, which is the only relevant URI for this vulnerability. The equals match is used for precision, and the value is lowercased for normalization.
The second rule inspects the raw body of the request for the presence of the string <!doctype, which is a strong indicator of an XXE payload (as seen in the nuclei template). The body is lowercased to ensure case-insensitive matching.
No attempt is made to match on the full XXE payload or specific file paths to avoid false positives and maintain generality for XXE attempts.
The labels section includes the correct CVE, ATT&CK, and CWE references, and the product/vuln class label is formatted as required.

All value: fields are lowercase, and the transform includes lowercase as required. The rule uses contains for the body match, which is appropriate for this context. No regex is used where a simple substring match suffices.

Oct 15 '25 14:10 crowdsec-automation

Hello @crowdsec-automation and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2019-9621 :red_circle:

Oct 15 '25 14:10 github-actions[bot]

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

Oct 15 '25 14:10 github-actions[bot]

Hello @buixor,

:white_check_mark: The new VPATCH Rule is compliant, thank you for your contribution!

Oct 21 '25 07:10 github-actions[bot]

Hello @buixor,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

Oct 21 '25 07:10 github-actions[bot]

Hello @buixor and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2023-0600 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-2009 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-0900 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6623 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23489 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-4634 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23488 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1071 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6567 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6360 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1061 :red_circle:

Oct 21 '25 07:10 github-actions[bot]

Hello @buixor,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

Oct 21 '25 07:10 github-actions[bot]

Hello @buixor,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

Oct 22 '25 14:10 github-actions[bot]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

labels not found

Mitre ATT&CK

Information about mitre attack can be found here. As an example, some common mitre attack techniques:

T1110 for bruteforce attacks
T1595 and T1190 for exploitation of public vulnerabilities
T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

Nov 05 '25 15:11 github-actions[bot]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

labels not found

Mitre ATT&CK

Information about mitre attack can be found here. As an example, some common mitre attack techniques:

T1110 for bruteforce attacks
T1595 and T1190 for exploitation of public vulnerabilities
T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

Nov 05 '25 15:11 github-actions[bot]

Hello @buixor and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2023-0600 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-2009 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-0900 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6623 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23489 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-4634 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23488 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1071 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6567 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6360 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1061 :red_circle:

Nov 05 '25 15:11 github-actions[bot]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

labels not found

Mitre ATT&CK

Information about mitre attack can be found here. As an example, some common mitre attack techniques:

T1110 for bruteforce attacks
T1595 and T1190 for exploitation of public vulnerabilities
T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

Nov 05 '25 15:11 github-actions[bot]

Hello @buixor and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2023-0600 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-2009 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-0900 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6623 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23489 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-4634 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23488 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1071 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6567 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6360 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1061 :red_circle:

Nov 05 '25 16:11 github-actions[bot]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

labels not found

Mitre ATT&CK

Information about mitre attack can be found here. As an example, some common mitre attack techniques:

T1110 for bruteforce attacks
T1595 and T1190 for exploitation of public vulnerabilities
T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

Nov 05 '25 16:11 github-actions[bot]

This PR needs to wait for WAF change in crowdsec to ensure RAW_BODY is always present @blotus

Nov 26 '25 14:11 buixor