From 434dd89867d40aab82a924570f40e9fee464da46 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 24 Sep 2025 16:18:07 +0200 Subject: [PATCH 1/5] Add vpatch-CVE-2024-21650 rule --- .../crowdsecurity/vpatch-CVE-2024-21650.yaml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-21650.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-21650.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-21650.yaml new file mode 100644 index 00000000000..8946273fbd8 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-21650.yaml @@ -0,0 +1,36 @@ +## autogenerated on 2025-09-24 14:18:04 +name: crowdsecurity/vpatch-CVE-2024-21650 +description: 'Detects XWiki user registration RCE via malicious payloads in first or last name fields.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: /bin/register/xwiki/xwikiregister + - zones: + - BODY_ARGS + variables: + - register_first_name + - register_last_name + transform: + - lowercase + - urldecode + match: + type: contains + value: '{{groovy}}' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'XWiki - RCE' + classification: + - cve.CVE-2024-21650 + - attack.T1190 + - cwe.CWE-95 From 4c256b72a398e790899c4d6daaa1008ea0c13010 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 24 Sep 2025 16:18:09 +0200 Subject: [PATCH 2/5] Add vpatch-CVE-2024-21650 test config --- .appsec-tests/vpatch-CVE-2024-21650/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-21650/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-21650/config.yaml b/.appsec-tests/vpatch-CVE-2024-21650/config.yaml new file mode 100644 index 00000000000..07c79391e19 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-21650/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-09-24 14:18:04 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-21650.yaml +nuclei_template: CVE-2024-21650.yaml From d0576944640b89ea8dfae62b0c7f6bbe02e2d31a Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 24 Sep 2025 16:18:11 +0200 Subject: [PATCH 3/5] Add CVE-2024-21650.yaml test --- .../vpatch-CVE-2024-21650/CVE-2024-21650.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-21650/CVE-2024-21650.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-21650/CVE-2024-21650.yaml b/.appsec-tests/vpatch-CVE-2024-21650/CVE-2024-21650.yaml new file mode 100644 index 00000000000..fbb8feda013 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-21650/CVE-2024-21650.yaml @@ -0,0 +1,21 @@ +## autogenerated on 2025-09-24 14:18:04 +id: CVE-2024-21650 +info: + name: CVE-2024-21650 + author: crowdsec + severity: info + description: CVE-2024-21650 testing + tags: appsec-testing +http: + - raw: + - | + POST /xwiki/bin/register/XWiki/XWikiRegister?xredirect=%2Fbin%2Fregister%2FXWiki%2FXWikiRegister%3Fxredirect%3D%252Fxwiki%252Fbin%252Fview%252FScheduler%252F%253Fdo%253Dtrigger%2526which%253DScheduler.NotificationEmailDailySender HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + parent=xwiki%3AMain.UserDirectory®ister_first_name=%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%7D%7D%7B%7Bgroovy%7D%7Dservices.logging.getLogger%28%22attacker%22%29.error%28%22Attack+succeeded%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D®ister_last_name=test&xwikiname=testuser®ister_password=testpass®ister2_password=testpass®ister_email=test%40test.com&xredirect=%2Fbin%2Fregister%2FXWiki%2FXWikiRegister%3Fxredirect%3D%252Fxwiki%252Fbin%252Fview%252FScheduler%252F%253Fdo%253Dtrigger%2526which%253DScheduler.NotificationEmailDailySender&form_token=dummytoken + cookie-reuse: true + matchers: + - type: status + status: + - 403 From b162e92708dff155f96ec523608719301513ee68 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 24 Sep 2025 16:18:13 +0200 Subject: [PATCH 4/5] Add vpatch-CVE-2024-21650 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index c77293f05e0..3f84bf05e22 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -111,6 +111,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-51977 - crowdsecurity/vpatch-CVE-2022-31499 - crowdsecurity/vpatch-CVE-2025-57819 +- crowdsecurity/vpatch-CVE-2024-21650 author: crowdsecurity contexts: - crowdsecurity/appsec_base From b3527c8ceab03cbc745bd90e72a38c9ca6fc83c3 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 24 Sep 2025 14:20:35 +0000 Subject: [PATCH 5/5] Update taxonomy --- taxonomy/scenarios.json | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json index 19b07eb8ce9..91ebd8a9547 100644 --- a/taxonomy/scenarios.json +++ b/taxonomy/scenarios.json @@ -1591,6 +1591,28 @@ "CVE-2024-1212" ] }, + "crowdsecurity/vpatch-CVE-2024-21650": { + "name": "crowdsecurity/vpatch-CVE-2024-21650", + "description": "Detects XWiki user registration RCE via malicious payloads in first or last name fields.", + "label": "XWiki - RCE", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "http", + "created_at": "2025-04-24 18:35:30", + "cves": [ + "CVE-2024-21650" + ], + "cwes": [ + "CWE-95" + ] + }, "crowdsecurity/vpatch-CVE-2024-22024": { "name": "crowdsecurity/vpatch-CVE-2024-22024", "description": "Ivanti Connect Secure - XXE (CVE-2024-22024)",