{"id":"CVE-2015-5211","details":"Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.","aliases":["GHSA-pgf9-h69p-pcgf"],"modified":"2026-04-16T06:24:45.784070514Z","published":"2017-05-25T17:29:00Z","references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"},{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2015-5211"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"},{"type":"ARTICLE","url":"https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/"},{"type":"EVIDENCE","url":"https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}