From 6c0a81ed969afba7e629c04b848cc3108de95a62 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:35:00 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2025-53693 rule --- .../crowdsecurity/vpatch-CVE-2025-53693.yaml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2025-53693.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-53693.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-53693.yaml new file mode 100644 index 00000000000..61831722f33 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-53693.yaml @@ -0,0 +1,34 @@ +## autogenerated on 2026-06-17 10:34:57 +name: crowdsecurity/vpatch-CVE-2025-53693 +description: 'Detects Sitecore XAML AjaxScriptManager cache poisoning via AddToCache reflection method.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: '/-/xaml/' + - zones: + - BODY_ARGS + variables: + - __parameters + transform: + - lowercase + - urldecode + match: + type: contains + value: 'addtocache' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Sitecore - Cache Poisoning' + classification: + - cve.CVE-2025-53693 + - attack.T1190 + - cwe.CWE-20 From fa31e1a993b1db45ff7f1d51d85c53915770d4c4 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:35:02 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2025-53693 test config --- .appsec-tests/vpatch-CVE-2025-53693/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-53693/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-53693/config.yaml b/.appsec-tests/vpatch-CVE-2025-53693/config.yaml new file mode 100644 index 00000000000..45835b24634 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-53693/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-06-17 10:34:57 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-53693.yaml +nuclei_template: CVE-2025-53693.yaml From fc73f4a2498c6bd3cf58b20fb9d4976226c7e5dd Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:35:04 +0200 Subject: [PATCH 3/4] Add CVE-2025-53693.yaml test --- .../vpatch-CVE-2025-53693/CVE-2025-53693.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-53693/CVE-2025-53693.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-53693/CVE-2025-53693.yaml b/.appsec-tests/vpatch-CVE-2025-53693/CVE-2025-53693.yaml new file mode 100644 index 00000000000..7b7164e7a0c --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-53693/CVE-2025-53693.yaml @@ -0,0 +1,21 @@ +## autogenerated on 2026-06-17 10:34:57 +id: CVE-2025-53693 +info: + name: CVE-2025-53693 + author: crowdsec + severity: info + description: CVE-2025-53693 testing + tags: appsec-testing +http: + - raw: + - | + POST /-/xaml/Sitecore.Shell.Applications.Dialogs.ItemLister.ItemLister HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + __SOURCE=ItemLister&__PARAMETERS={"method":"AddToCache","parameters":["sitecore_cache_test_123456",""]} + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 2916025cf9239978ba79fd55e9132c0d9690f0b5 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:35:06 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2025-53693 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index c4f95a425d8..c3f6b5d9b9c 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -46,6 +46,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2023-22527 - crowdsecurity/vpatch-CVE-2024-5057 - crowdsecurity/vpatch-CVE-2023-35078 +- crowdsecurity/vpatch-CVE-2025-53693 - crowdsecurity/vpatch-CVE-2023-35082 - crowdsecurity/vpatch-CVE-2023-24000 - crowdsecurity/vpatch-CVE-2022-22954