Add vpatch-CVE-2025-53693 rule and test

[crowdsec-automation]

This rule detects exploitation attempts for CVE-2025-53693, a Sitecore XAML AjaxScriptManager cache poisoning vulnerability. The exploit involves sending a POST request to a XAML control endpoint (e.g., /-/xaml/Sitecore.Shell.Applications.Dialogs.ItemLister.ItemLister) with a specially crafted __PARAMETERS body argument containing a JSON object with the "AddToCache" method. The rule matches:

• The URI containing "/-/xaml/" (case-insensitive, URL-decoded), which is the common prefix for Sitecore XAML controls.
• The presence of the "__parameters" body argument (case-insensitive, URL-decoded) containing the string "addtocache", which is the reflection method used to poison the cache.

This approach ensures detection of the core exploit vector while minimizing false positives by focusing on the unique combination of endpoint and method invocation. The test nuclei template simulates a typical exploit attempt and expects a 403 response if the rule is triggered.

Validation Checklist:

• All value: fields are lowercase.
• All relevant transforms include lowercase and urldecode.
• No match.value contains capital letters.
• The rule uses contains instead of regex where applicable.

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2025-53693 🔴

[github-actions]

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!