{"id":"CVE-2020-24619","details":"In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check misuses TLS because of setPeerVerifyMode(QSslSocket::VerifyNone). A man-in-the-middle attacker could offer a spoofed download resource.","modified":"2026-04-11T15:27:38.570974Z","published":"2020-09-22T12:15:12.253Z","references":[{"type":"ADVISORY","url":"https://shotcut.org/blog/new-release-200913/"},{"type":"FIX","url":"https://github.com/mltframework/shotcut/commit/f008adc039642307f6ee3378d378cdb842e52c1d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mltframework/shotcut","events":[{"introduced":"0"},{"fixed":"0898bdf3fc0f9f3fbf78336bad21d5506e19c118"},{"fixed":"f008adc039642307f6ee3378d378cdb842e52c1d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"20.09.13"}]}}],"versions":["qt4-end","v14.05","v14.06","v14.07","v14.08","v14.09","v14.10","v14.11","v14.12","v15.01","v15.02","v15.03","v15.04","v15.05","v15.06","v15.07","v15.08","v15.09","v15.10","v15.11","v15.12","v16.01","v16.02","v16.04","v16.05","v16.06","v16.07","v16.08","v16.09","v16.10","v16.11","v16.12","v17.01","v17.02","v17.03","v17.04","v17.05","v17.06","v17.08","v17.09","v17.10","v17.11","v17.12","v18.01","v18.03","v18.03.06","v18.05","v18.05.08","v18.06","v18.06.02","v18.07","v18.08","v18.08.11","v18.08.14","v18.09.13","v18.09.15","v18.09.16","v18.10.01","v18.10.08","v18.11.04","v18.11.13","v18.11.18","v18.12.15","v18.12.23","v19.01.19","v19.01.24","v19.01.27","v19.02.20","v19.02.28","v19.04.21","v19.04.30","v19.06.04","v19.06.15","v19.07.07","v19.07.15","v19.08.05","v19.08.16","v19.09.02","v19.09.14","v19.10.10","v19.10.20","v19.12.08","v19.12.16","v19.12.23","v19.12.31","v20.02.02","v20.02.17","v20.04.01","v20.04.05","v20.04.12","v20.06.05","v20.06.14","v20.06.28","v20.07.11","v20.09.01"],"database_specific":{"vanir_signatures":[{"id":"CVE-2020-24619-b2bacf3e","digest":{"line_hashes":["218835352193985310667251100491515934596","14356802297276925708397881295076190062","283624680693997055244457804723509477920","316956125033937846239920343373399289822","284496460002279050771324823534250079195","156318147616756500413885702827517109168","83309359447669589081561733789952682453","205532388416644846912483906197458128777","235108946773474358458222153130293560760","318358985925431750142513381666330506001","222734233440672528789425360235066704765","55075922948617209456751417565219575959","5525732070329115122821140372409217499","224327118195763995293614638739610946651"],"threshold":0.9},"signature_type":"Line","deprecated":false,"signature_version":"v1","target":{"file":"src/mainwindow.cpp"},"source":"https://github.com/mltframework/shotcut/commit/f008adc039642307f6ee3378d378cdb842e52c1d"},{"id":"CVE-2020-24619-ba497661","digest":{"function_hash":"331677563975458575107632949369917438523","length":632},"signature_type":"Function","deprecated":false,"signature_version":"v1","target":{"function":"MainWindow::showUpgradePrompt","file":"src/mainwindow.cpp"},"source":"https://github.com/mltframework/shotcut/commit/f008adc039642307f6ee3378d378cdb842e52c1d"},{"id":"CVE-2020-24619-d6a9f92f","digest":{"function_hash":"59977476673893318827283970166411004222","length":832},"signature_type":"Function","deprecated":false,"signature_version":"v1","target":{"function":"MainWindow::on_actionUpgrade_triggered","file":"src/mainwindow.cpp"},"source":"https://github.com/mltframework/shotcut/commit/f008adc039642307f6ee3378d378cdb842e52c1d"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-24619.json","vanir_signatures_modified":"2026-04-11T15:27:38Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}