Add vpatch-CVE-2025-27223 rule and test

[crowdsec-automation]

This rule detects attempts to exploit the authentication bypass vulnerability in TRUfusion Enterprise (CVE-2025-27223). The detection is based on two main criteria:

• The request URI contains /trufusionportal/getprojectlist, which is a sensitive endpoint that should require authentication.
• The request includes a COOKIEID in the Cookie header, which is the session identifier that can be forged due to the hard-coded cryptographic key vulnerability.

The rule uses the HEADERS_NAMES zone with a contains match for cookieid (case-insensitive) to ensure it triggers only when the relevant session cookie is present. The lowercase transform is applied to both URI and header name checks to ensure case-insensitive matching. This approach minimizes false positives by focusing on the specific endpoint and the presence of the vulnerable session cookie.

Validation checklist:

• All value: fields are lowercase.
• All relevant transform: include lowercase.
• No match.value contains capital letters.
• The rule uses contains instead of regex where applicable.

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2025-27223 🔴

[github-actions]

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!