The affected administration pages require the user to be logged on with sufficient permissions. A malicious user cannot simply load the form processing page and use it to insert data. They must be logged on as an admin or the page will halt.

Thus the real risk arises when FestOS administrators do not log out before visiting other web sites. In such a situation, code at those sites could capitalize on the lingering logged on state, craft a special request to your FestOS site, and modify data (update a web page, add an administrator, etc.).

Until a fix is published, you can easily eliminate this vulnerability by logging out before leaving the site. (also, don't visit another site in another browser tab or window while remaining logged onto the FestOS admin system)