Plane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patch

Plane is an an open-source project management tool. Prior to version 1.2.2, the ProjectAssetEndpoint.patch() method in apps/api/plane/app/views/asset/v2.py (lines 579–593) performs a global asset lookup using only the asset ID (pk) via FileAsset.objects.get(id=pk), without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the attributes and is_uploaded status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue.