Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-6230

Summary
Assigner-lenovo
Assigner Org ID-da227ddf-6e25-4b41-b023-0f976dcaca4b
Published At-17 Jul, 2025 | 19:19
Updated At-18 Aug, 2025 | 20:14
Rejected At-
Credits

A SQL injection vulnerability was reported in Lenovo Vantage that could allow a local attacker to modify the local SQLite database and execute limited SQLite commands.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:lenovo
Assigner Org ID:da227ddf-6e25-4b41-b023-0f976dcaca4b
Published At:17 Jul, 2025 | 19:19
Updated At:18 Aug, 2025 | 20:14
Rejected At:
▼CVE Numbering Authority (CNA)

A SQL injection vulnerability was reported in Lenovo Vantage that could allow a local attacker to modify the local SQLite database and execute limited SQLite commands.

Affected Products
Vendor
Lenovo Group LimitedLenovo
Product
Vantage
Default Status
unaffected
Versions
Affected
  • From 0 before 10.2501.20.0 (custom)
Vendor
Lenovo Group LimitedLenovo
Product
Commercial Vantage
Default Status
unaffected
Versions
Affected
  • From 0 before 20.2506.39.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
4.04.8MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
3.15.3MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Version: 4.0
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update Lenovo Vantage to version 10.2501.20.0 (or newer).

Update Lenovo Commercial Vantage to version 20.2506.39.0 (or newer).

Configurations
Workarounds
Exploits
Credits
finder
Lenovo thanks Bryan Alexander of Atredis Partners for reporting this issue.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://support.lenovo.com/us/en/product_security/LEN-196648
N/A
Hyperlink: https://support.lenovo.com/us/en/product_security/LEN-196648
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@lenovo.com
Published At:17 Jul, 2025 | 20:15
Updated At:19 Aug, 2025 | 16:32

A SQL injection vulnerability was reported in Lenovo Vantage that could allow a local attacker to modify the local SQLite database and execute limited SQLite commands.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.04.8MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.15.3MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary3.15.3MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 4.0
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CPE Matches
Lenovo Group Limited
lenovo
>>commercial_vantage>>Versions before 20.2506.39.0(exclusive)
cpe:2.3:a:lenovo:commercial_vantage:*:*:*:*:*:*:*:*
Lenovo Group Limited
lenovo
>>vantage>>Versions before 10.2501.20.0(exclusive)
cpe:2.3:a:lenovo:vantage:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-89Secondarypsirt@lenovo.com
CWE ID: CWE-89
Type: Secondary
Source: psirt@lenovo.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://support.lenovo.com/us/en/product_security/LEN-196648psirt@lenovo.com
Vendor Advisory
Hyperlink: https://support.lenovo.com/us/en/product_security/LEN-196648
Source: psirt@lenovo.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

9Records found
CVE-2025-1479
Matching Score-8
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-8
Assigner-Lenovo Group Ltd.
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 3.39%
||
7 Day CHG~0.00%
Published-30 May, 2025 | 19:13
Updated-03 Jun, 2025 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An open debug interface was reported in the Legion Space software included on certain Legion devices that could allow a local attacker to execute arbitrary code.

Action-Not Available
Vendor-Lenovo Group Limited
Product-Legion Space for Legion GoLegion Space for Legion PC
CWE ID-CWE-489
Active Debug Code
CVE-2023-4608
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-4.1||MEDIUM
EPSS-0.10% / 27.45%
||
7 Day CHG~0.00%
Published-24 Oct, 2023 | 20:25
Updated-11 Sep, 2024 | 20:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command.  This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.

Action-Not Available
Vendor-Lenovo Group Limited
Product-thinkagile_vx7531thinksystem_sr670_firmwarethinkagile_mx3531_h_hybridthinkagile_hx3375_firmwarethinksystem_sr675_v3_firmwarethinkagile_hx5530thinksystem_sr850_v2_firmwarethinksystem_sr250_v2thinksystem_sr665_firmwarethinksystem_sd630_v2_firmwarethinkagile_hx2330_firmwarethinksystem_sd650_v2_firmwarethinksystem_sd665_v3_firmwarethinksystem_sr665_v3_firmwarethinkagile_mx3330-h_hybrid_firmwarethinksystem_sr850_v3_firmwarethinksystem_st250_v2_firmwarethinkagile_hx3330thinkagile_hx7530_firmwarethinkagile_hx2330thinksystem_sr645_v3_firmwarethinkagile_mx3331-f_all-flashthinkagile_vx7530_firmwarethinkagile_hx1331_firmwarethinksystem_sd650-n_v2_firmwarethinksystem_sn550_v2_firmwarethinksystem_sr860_v3_firmwarethinkagile_hx7530thinksystem_st658_v2thinkagile_mx3331-f_all-flash_firmwarethinksystem_sr850_v2thinkagile_mx3530_f_all_flashthinksystem_sr650_v2_firmwarethinksystem_sr665thinksystem_sr630_v2thinksystem_sr860_v2thinksystem_sr635_v3_firmwarethinksystem_st650_v2thinksystem_sr258_v2thinkagile_mx3531_h_hybrid_firmwarethinkagile_hx3375thinkagile_mx3530_f_all_flash_firmwarethinkagile_mx3530-h_hybridthinkagile_vx3330thinkagile_hx3331_firmwarethinkagile_mx3330-h_hybridthinkagile_hx5530_firmwarethinkagile_vx3331thinksystem_st258_v2thinksystem_sr645_v3thinkagile_hx3330_firmwarethinksystem_st658_v3_firmwarethinksystem_sd650-n_v2thinksystem_sr670_v2_firmwarethinksystem_sr630_v3_firmwarethinksystem_sr670_v2thinksystem_sd650_v2thinkagile_mx3331-h_hybridthinksystem_sr655_v3_firmwarethinksystem_sr650_v2thinkagile_vx7330thinkagile_hx1331thinkagile_hx3331thinksystem_sr250_firmwarethinkagile_mx3531-f_all-flash_firmwarethinkagile_mx3530-h_hybrid_firmwarethinkagile_vx7530thinksystem_sd630_v2thinkagile_mx3330-f_all-flashthinkagile_hx5531thinksystem_st250_v2thinksystem_sr860_v2_firmwarethinksystem_sr650_v3_firmwarethinkagile_mx3330-f_all-flash_firmwarethinkagile_hx2331thinkagile_vx5530thinkagile_hx7531_firmwarethinksystem_sn550_v2thinksystem_sr645thinksystem_sd650_v3_firmwarethinksystem_sr670thinksystem_sr258_v2_firmwarethinkagile_mx3531-f_all-flashthinkagile_vx3331_firmwarethinkagile_hx2331_firmwarethinkagile_vx2330_firmwarethinksystem_st650_v2_firmwarethinkagile_vx3530-g_firmwarethinksystem_st258_v2_firmwarethinksystem_sr630_v2_firmwarethinksystem_st650_v3_firmwarethinkagile_hx3376_firmwarethinkagile_hx3376thinkagile_hx5531_firmwarethinkagile_vx7531_firmwarethinkagile_vx2330thinkagile_vx7330_firmwarethinkagile_vx5530_firmwarethinkagile_mx3331-h_hybrid_firmwarethinkagile_vx3330_firmwarethinkagile_vx3530-gthinkagile_hx7531thinksystem_st658_v2_firmwarethinksystem_sr645_firmwareLenovo XClarity Controller (XCC)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-14066
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 28.43%
||
7 Day CHG~0.00%
Published-15 Jul, 2018 | 16:00
Updated-16 Sep, 2024 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as well as various Lenovo phones (such as the A7020) that have since been fixed by Lenovo.

Action-Not Available
Vendor-infinixmobilityn/aLenovo Group LimitedGoogle LLC
Product-androidlenovo_a7020infinix_x571n/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-34418
Matching Score-6
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-6
Assigner-Lenovo Group Ltd.
CVSS Score-8.1||HIGH
EPSS-0.23% / 45.63%
||
7 Day CHG~0.00%
Published-26 Jun, 2023 | 19:45
Updated-03 Dec, 2024 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API.

Action-Not Available
Vendor-Lenovo Group Limited
Product-xclarity_administratorLenovo XClarity Administrator
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-34930
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 10.04%
||
7 Day CHG~0.00%
Published-23 May, 2024 | 16:26
Updated-25 Mar, 2025 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability in /model/all_events1.php in Campcodes Complete Web-Based School Management System 1.0 allows attacker to execute arbitrary SQL commands via the month parameter.

Action-Not Available
Vendor-n/aCampCodes
Product-complete_web-based_school_management_systemn/acomplete_web-based_school_management_system
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-33161
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 14.97%
||
7 Day CHG~0.00%
Published-07 May, 2024 | 00:00
Updated-16 Apr, 2025 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

J2EEFAST v2.7.0 was discovered to contain a SQL injection vulnerability via the sql_filter parameter in the unallocatedList() function.

Action-Not Available
Vendor-j2eefastn/aj2eefast
Product-j2eefastn/aj2eefast
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-35357
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.12% / 31.49%
||
7 Day CHG~0.00%
Published-30 May, 2024 | 16:01
Updated-11 Apr, 2025 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been discovered in Diño Physics School Assistant version 2.3. The vulnerability impacts an unidentified code within the file /classes/Master.php?f=delete_item. Manipulating the argument id can result in SQL injection.

Action-Not Available
Vendor-dino_physics_school_assistant_projectn/adino_physics_school_assistant_project
Product-dino_physics_school_assistantn/adino_physics_school_assistant
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-45021
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.02% / 4.54%
||
7 Day CHG~0.00%
Published-30 Apr, 2025 | 00:00
Updated-09 May, 2025 | 13:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL Injection vulnerability was identified in the admin/edit-directory.php file of the PHPGurukul Directory Management System v2.0. Attackers can exploit this vulnerability via the email parameter in a POST request to execute arbitrary SQL commands.

Action-Not Available
Vendor-n/aPHPGurukul LLP
Product-directory_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-32753
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-5.3||MEDIUM
EPSS-0.02% / 4.00%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 13:46
Updated-11 Jul, 2025 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering.

Action-Not Available
Vendor-Dell Inc.
Product-powerscale_onefsPowerScale OneFS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Details not found