Preface: Perhaps it is a design limitation. SharePoint did not check the source markup of an application package which provides an opportunity to attacker. However when you read the prerequisite requirement of the proof of concept. You will feel that it might have difficulties to exploit this vulnerability. However it found a way to trigger this vulnerability. So we must be aware of it.

Vulnerability details: An authenticated attacker can craft pages to trigger a server-side include that can be leveraged to leak the web[.]config file. The attacker can leverage this to achieve remote code execution.

Prerequisite: the attacker needs AddAndCustomizePages permission enabled which is the default.

Hints: Add and Customize Pages permission is from site level, the permission is not in list permission level. When you get full control in list permission level, you may not get the permission from site level. You can add a new permission level which only includes Add and Customize Pages permission, and then create new SharePoint group with this permission level. Then add yourself into the SharePoint group and you will get the Add and Customize Pages permission from site level.
If it is in the site level, please make sure you have enable Custom Scripting in SharePoint admin center. Go to SharePoint admin center> Settings> Custom Script.

Remedy: The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952