[HIGH] Form API ignores access restrictions on submit buttons

PKSA-f2tr-vkvs-rn6s CVE-2016-3165 GHSA-4gh5-3hqj-x3pj

Affected package: drupal/core

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories, GitHub