Panopto Embed URL Vulnerability: Arbitrary Domain Injection Exposes Users to Clickjacking

A high-severity security flaw in a video utility function allows attackers to inject arbitrary domains into Panopto embed URLs, creating a direct vector for clickjacking and phishing attacks. The vulnerability resides in the `getVideoEmbedInfo()` function within `src/utils/video.ts`, which extracts a domain from user-supplied URLs via a regex and injects it directly into an iframe embed URL without any whitelist validation. This means a malicious actor can craft a URL with a legitimate Panopto video ID but a rogue domain, causing the application to embed content from an attacker-controlled page within its own trusted interface.

The core issue is on lines 52–62 of the video utility file. The regex `/(https?:\/\/[^\/]+)/` captures the first domain in a provided URL. An attacker can submit a link like `https://attacker.com/Panopto/Pages/Viewer.aspx?id=valid-uuid-here-00000`. The system will match `attacker.com` as the domain and construct an embed URL pointing to it, effectively loading external, untrusted content inside the application's iframe. This bypasses standard origin controls and leverages the app's UI to lend credibility to the malicious page.

The primary impact is a significant clickjacking and phishing risk, as users interact with what appears to be a trusted application component that is actually hosted elsewhere. While the iframe provides some sandboxing, it does not prevent the embedded page from executing scripts in its own context, which could be used to deceive users or harvest credentials. The suggested fix is to implement strict domain validation against a known whitelist of authorized Panopto domains before constructing the embed URL, a critical step to close this injection vector.