CVE-2020-24619 in Shotcut
Summary
by MITRE
In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check misuses TLS because of setPeerVerifyMode(QSslSocket::VerifyNone). A man-in-the-middle attacker could offer a spoofed download resource.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/10/2025
The vulnerability identified as CVE-2020-24619 affects the Shotcut video editing software version prior to 20.09.13, specifically within the mainwindow.cpp file where the upgrade check functionality is implemented. This flaw represents a critical security weakness that undermines the integrity of the software's update mechanism. The vulnerability stems from the improper configuration of Transport Layer Security (TLS) verification within the Qt-based application, creating an avenue for malicious actors to compromise the software update process. The issue manifests when the application attempts to verify available updates but fails to properly validate SSL certificates during the connection process.
The technical flaw involves the explicit misuse of TLS security mechanisms through the deliberate invocation of setPeerVerifyMode(QSslSocket::VerifyNone) within the upgrade checking code path. This configuration disables peer certificate verification, effectively removing the cryptographic validation that ensures the authenticity of the remote server. When developers intentionally disable certificate verification, they create a security boundary that allows attackers to establish man-in-the-middle positions without detection. The application becomes vulnerable to attacks where malicious actors can intercept network traffic between the Shotcut client and its update servers, presenting spoofed software packages or malicious payloads to unsuspecting users.
The operational impact of this vulnerability extends beyond simple software integrity concerns, as it fundamentally compromises the security model of the application's update system. An attacker exploiting this vulnerability could potentially deliver malicious software updates that appear legitimate to end users, leading to unauthorized code execution, data theft, or system compromise. The vulnerability affects users who rely on the automatic update feature of Shotcut, making it particularly dangerous in environments where users may not manually verify update sources. This weakness enables attackers to manipulate the software distribution channel, potentially affecting multiple users simultaneously and creating a scalable attack vector.
The security implications align with CWE-295, which addresses improper certificate validation, and demonstrates characteristics consistent with ATT&CK technique T1195.001 related to Phishing via System Process. Organizations and individuals using vulnerable versions of Shotcut face significant risks, as the attack surface extends to any system that automatically checks for updates. The vulnerability represents a failure in secure coding practices where cryptographic security measures are deliberately weakened, creating an attack vector that could be exploited by threat actors with network access to the target systems.
Mitigation strategies should include immediate upgrading to Shotcut version 20.09.13 or later, which addresses the TLS verification issue. Administrators should also consider implementing network-level controls such as SSL inspection policies, firewall rules that restrict outbound update traffic, or network monitoring to detect suspicious connections. The fix implemented in the patched version should properly configure SSL socket verification to ensure that certificate validation occurs during the upgrade check process, restoring the intended security posture. Additionally, users should be educated about the importance of verifying software authenticity through multiple channels and should consider manual update verification when automatic update mechanisms are compromised.