Add vpatch-CVE-2024-21650 rule and test

.appsec-tests/vpatch-CVE-2024-21650/CVE-2024-21650.yaml

@@ -0,0 +1,21 @@
+## autogenerated on 2025-09-24 14:18:04
+id: CVE-2024-21650
+info:
+  name: CVE-2024-21650
+  author: crowdsec
+  severity: info
+  description: CVE-2024-21650 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /xwiki/bin/register/XWiki/XWikiRegister?xredirect=%2Fbin%2Fregister%2FXWiki%2FXWikiRegister%3Fxredirect%3D%252Fxwiki%252Fbin%252Fview%252FScheduler%252F%253Fdo%253Dtrigger%2526which%253DScheduler.NotificationEmailDailySender HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        parent=xwiki%3AMain.UserDirectory&register_first_name=%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%7D%7D%7B%7Bgroovy%7D%7Dservices.logging.getLogger%28%22attacker%22%29.error%28%22Attack+succeeded%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&register_last_name=test&xwikiname=testuser&register_password=testpass&register2_password=testpass&register_email=test%40test.com&xredirect=%2Fbin%2Fregister%2FXWiki%2FXWikiRegister%3Fxredirect%3D%252Fxwiki%252Fbin%252Fview%252FScheduler%252F%253Fdo%253Dtrigger%2526which%253DScheduler.NotificationEmailDailySender&form_token=dummytoken
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/vpatch-CVE-2024-21650/config.yaml

@@ -0,0 +1,5 @@
+## autogenerated on 2025-09-24 14:18:04
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-21650.yaml
+nuclei_template: CVE-2024-21650.yaml

appsec-rules/crowdsecurity/vpatch-CVE-2024-21650.yaml

@@ -0,0 +1,36 @@
+## autogenerated on 2025-09-24 14:18:04
+name: crowdsecurity/vpatch-CVE-2024-21650
+description: 'Detects XWiki user registration RCE via malicious payloads in first or last name fields.'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: contains
+          value: /bin/register/xwiki/xwikiregister
+      - zones:
+          - BODY_ARGS
+        variables:
+          - register_first_name
+          - register_last_name
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: contains
+          value: '{{groovy}}'
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'XWiki - RCE'
+  classification:
+    - cve.CVE-2024-21650
+    - attack.T1190
+    - cwe.CWE-95

collections/crowdsecurity/appsec-virtual-patching.yaml

@@ -113,6 +113,7 @@ appsec-rules:
 - crowdsecurity/vpatch-CVE-2025-57819
 - crowdsecurity/vpatch-CVE-2024-0204
 - crowdsecurity/vpatch-CVE-2020-25078
+- crowdsecurity/vpatch-CVE-2024-21650
 author: crowdsecurity
 contexts:
 - crowdsecurity/appsec_base

taxonomy/scenarios.json

@@ -1635,6 +1635,28 @@
       "CVE-2024-1212"
     ]
   },
+  "crowdsecurity/vpatch-CVE-2024-21650": {
+    "name": "crowdsecurity/vpatch-CVE-2024-21650",
+    "description": "Detects XWiki user registration RCE via malicious payloads in first or last name fields.",
+    "label": "XWiki - RCE",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "created_at": "2025-04-24 18:35:30",
+    "cves": [
+      "CVE-2024-21650"
+    ],
+    "cwes": [
+      "CWE-95"
+    ]
+  },
   "crowdsecurity/vpatch-CVE-2024-22024": {
     "name": "crowdsecurity/vpatch-CVE-2024-22024",
     "description": "Ivanti Connect Secure - XXE (CVE-2024-22024)",