From 8aa8bb5f2ca6f3346464373c87abc888203e3330 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:19:27 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2020-5847 rule --- .../crowdsecurity/vpatch-CVE-2020-5847.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2020-5847.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2020-5847.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2020-5847.yaml new file mode 100644 index 00000000000..a51e895a994 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2020-5847.yaml @@ -0,0 +1,35 @@ +## autogenerated on 2026-04-08 13:19:24 +name: crowdsecurity/vpatch-CVE-2020-5847 +description: 'Detects UnRaid <=6.80 remote code execution via crafted site[x][text] parameter in green-on.png endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: '/webgui/images/green-on.png' + - zones: + - ARGS + variables: + - 'site[x][text]' + transform: + - lowercase + - urldecode + match: + type: contains + value: ' Date: Wed, 8 Apr 2026 15:19:29 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2020-5847 test config --- .appsec-tests/vpatch-CVE-2020-5847/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2020-5847/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2020-5847/config.yaml b/.appsec-tests/vpatch-CVE-2020-5847/config.yaml new file mode 100644 index 00000000000..b2219636aa3 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2020-5847/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-04-08 13:19:24 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2020-5847.yaml +nuclei_template: CVE-2020-5847.yaml From 65e96091138454465c62a64485e6b1ddfe7d0dda Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:19:31 +0200 Subject: [PATCH 3/4] Add CVE-2020-5847.yaml test --- .../vpatch-CVE-2020-5847/CVE-2020-5847.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2020-5847/CVE-2020-5847.yaml diff --git a/.appsec-tests/vpatch-CVE-2020-5847/CVE-2020-5847.yaml b/.appsec-tests/vpatch-CVE-2020-5847/CVE-2020-5847.yaml new file mode 100644 index 00000000000..765a7521948 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2020-5847/CVE-2020-5847.yaml @@ -0,0 +1,17 @@ +## autogenerated on 2026-04-08 13:19:24 +id: CVE-2020-5847 +info: + name: CVE-2020-5847 + author: crowdsec + severity: info + description: CVE-2020-5847 testing + tags: appsec-testing +http: + - method: GET + path: + - "{{BaseURL}}/webGui/images/green-on.png/?path=x&site[x][text]=%3C?php%20echo%20md5(%22CVE-2020-5847%22);%20?%3E" + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 8cfc3379feec9b5be9fa1629b25a552ccb662c74 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:19:33 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2020-5847 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 7ccf9a8bf03..e30a4e213ac 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -65,6 +65,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-29824 - crowdsecurity/vpatch-CVE-2025-8110 - crowdsecurity/vpatch-CVE-2024-27348 +- crowdsecurity/vpatch-CVE-2020-5847 - crowdsecurity/vpatch-CVE-2020-5902 - crowdsecurity/vpatch-CVE-2018-13379 - crowdsecurity/vpatch-CVE-2022-26134