Plane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patch

Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in `apps/api/plane/app/views/asset/v2.py` (lines 579–593) performs a global asset lookup using only the asset ID (`pk`) via `FileAsset.objects.get(id=pk)`, without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the `attributes` and `is_uploaded` status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue.

N/A

通过用户控制密钥绕过授权机制

Plane 安全漏洞

Plane是Plane开源的一个开源、自托管的项目规划工具。 Plane 1.2.2之前版本存在安全漏洞，该漏洞源于ProjectAssetEndpoint.patch()方法仅通过资产ID进行全局资产查找，而未验证资产是否属于URL路径中指定的工作区和项目，可能导致任何经过身份验证的用户通过猜测或枚举资产UUID来修改整个Plane实例中任何工作区或项目的资产属性和上传状态。

N/A

N/A