CVE-2023-27218 — Shotcut XXE → SSRF via Malicious .mlt Project Files

Summary

CVE-ID: CVE-2023-27218

Vendor: Shotcut

Discovered by: Ronald Barbosa (F4)

Affected Version: All versions up to and including v22.12.21

Vulnerability Type: XML External Entity (XXE)

Attack Type: Remote

Impact: Server-Side Request Forgery (SSRF), Local File Disclosure

Affected Component

Shotcut's .mlt project file parser fails to securely process XML content. These files are used internally by Shotcut to manage media timelines and metadata. Improper XML parsing allows injection of arbitrary external entities.

Vulnerability Details

Shotcut project files are XML-based and parsed without disabling dangerous features like DOCTYPE or external entity resolution.

By crafting a malicious .mlt file with an external entity (<!ENTITY>), an attacker can:

Force the application to make arbitrary HTTP/HTTPS requests (SSRF)
Leak local files (e.g., /etc/passwd) via rendered properties in the GUI
Crash the app via parsing failures