This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site.
The module doesn't sufficiently validate access when the JSONAPI module is also installed.
This vulnerability is mitigated by the fact that it only affects sites when the JSONAPI module is installed.