Add vpatch-CVE-2025-53693 rule and test

[crowdsec-automation]

This rule detects exploitation attempts for CVE-2025-53693, a Sitecore XAML AjaxScriptManager cache poisoning vulnerability. The exploit involves sending a POST request to a XAML control endpoint (e.g., /-/xaml/Sitecore.Shell.Applications.Dialogs.ItemLister.ItemLister) with a specially crafted __PARAMETERS argument containing a JSON object with the method "AddToCache". The rule matches:

• The URI containing "/-/xaml/", which is the common prefix for XAML control endpoints in Sitecore.
• The presence of the "addtocache" method in the __PARAMETERS body argument (case-insensitive, URL-decoded), which is the reflection method abused for cache poisoning.

This approach ensures detection of the core exploit vector while minimizing false positives by focusing on the unique combination of endpoint and method name. The rule uses "contains" for flexibility and applies both "lowercase" and "urldecode" transforms to handle encoding and case variations.

Validation Checklist:

• All value: fields are lowercase.
• All relevant transforms include lowercase (and urldecode for body args).
• No match.value contains capital letters.
• Rule uses contains instead of regex where applicable.

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2025-53693 🔴

[github-actions]

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!