LiveActive security incident?Get immediate response
CVE archive

January 2023

Browse CVE records published in January 2023, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 2291 matching CVEs · Page 1 of 46.

High · CVSS 8.9

CVE-2023-36998: The NextEPC MME <= 1.0.1 (fixed in commit a8492c9c5bc0a66c6999cb5a263545b32a4109df) contains a stack-based...

The NextEPC MME <= 1.0.1 (fixed in commit a8492c9c5bc0a66c6999cb5a263545b32a4109df) contains a stack-based buffer overflow vulnerability in the Emergency Number List decoding method. An attacker may send a NAS message containing an oversized Emergency Number List value to the MME to overwrite the stack with arbitrary bytes. An attacker with a cellphone connection to any base station managed by the MME may exploit this vulnerability without having to authenticate with the LTE core.

Published Jan 22, 2025 · Updated Jul 5, 2026

Medium · CVSS 6.6

CVE-2023-6955: Missing Authorization in GitLab

A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.

Published Jan 12, 2024 · Updated Jun 27, 2026

High · CVSS 7.4

CVE-2023-40548: Shim: interger overflow leads to heap buffer overflow in verify_sbat_section on 32-bits systems

A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.

Published Jan 29, 2024 · Updated Jun 26, 2026

High · CVSS 8.3

CVE-2023-40547: Shim: rce in http boot support may lead to secure boot bypass

A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.

Published Jan 25, 2024 · Updated Jun 26, 2026

Critical · CVSS 10 · CISA KEV

CVE-2023-7028: Weak Password Recovery Mechanism for Forgotten Password in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

Published Jan 12, 2024 · Updated May 26, 2026

Medium · CVSS 6.1

CVE-2023-54332: Jetpack 11.4 - Cross Site Scripting (XSS)

Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page.

Published Jan 13, 2026 · Updated May 24, 2026

Medium · CVSS 6.1

CVE-2023-53985: Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)

Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context.

Published Jan 13, 2026 · Updated May 24, 2026

Critical · CVSS 9.8

CVE-2023-5806: SQLi in Mergen Soft Quality Management System

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mergen Software Quality Management System allows SQL Injection. This issue affects Quality Management System: before v1.2.

Published Jan 18, 2024 · Updated May 20, 2026

Critical · CVSS 9.8

CVE-2023-6436: SQLi in Ekol Bilisim Website Template

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ekol Informatics Website Template allows SQL Injection. This issue affects Website Template: through 20231215.

Published Jan 2, 2024 · Updated May 20, 2026

Medium · CVSS 6.1

CVE-2023-7153: Reflected XSS in Macroturk's Macro-Bel

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Macroturk Software and Internet Technologies Macro-Bel allows Reflected XSS. This issue affects Macro-Bel: before V.1.0.1.

Published Jan 18, 2024 · Updated May 20, 2026

Critical · CVSS 9.3

CVE-2023-7334: Changjetong T+ <= 16.x GetStoreWarehouseByStore Deserialization RCE

Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation as early as 2023-08-19 (UTC).

Published Jan 15, 2026 · Updated May 14, 2026

Medium · CVSS 5.3

CVE-2023-6780: Glibc: integer overflow in __vsyslog_internal()

An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.

Published Jan 31, 2024 · Updated May 12, 2026

High · CVSS 8.2

CVE-2023-6779: Glibc: off-by-one heap-based buffer overflow in __vsyslog_internal()

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.

Published Jan 31, 2024 · Updated May 12, 2026

High · CVSS 8.4

CVE-2023-6246: Glibc: heap-based buffer overflow in __vsyslog_internal()

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

Published Jan 31, 2024 · Updated May 12, 2026

Medium · CVSS 6.5

CVE-2023-6129: POLY1305 MAC implementation corrupts vector registers on PowerPC

Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue.

Published Jan 9, 2024 · Updated May 12, 2026

Medium · CVSS 6.5

CVE-2023-6159: Inefficient Regular Expression Complexity in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input.

Published Jan 26, 2024 · Updated May 6, 2026

High · CVSS 7.6

CVE-2023-4812: Incorrect Authorization in GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request.

Published Jan 12, 2024 · Updated May 1, 2026