Good question, no they need to have a valid login and be able to access a certain settings page within the admin. I can’t release too much information at this time (we are preparing a proper and full explanation disclosure blog post).
The person who reported the vulnerability wrote a long and detailed blog post as well that dives into the specifics that will come out as the same time as ours.
While we (Strapi) will not be releasing a patch for v3 since it’s EOL, a manual patch could be created to be used with patch-package if needed by you. We will be providing instructions on how to construct these patches.