Published On: 30 Jul 2021
If an item in your catalog doesn’t comply with Facebook Advertising Policies, you can’t use it in Facebook ads. If an item doesn't comply with Facebook Commerce Policies, you can’t sell it on Facebook or Instagram, therefore Facebook have an option called (Request Review) where you can request a second review, this is can be done using Commerce manager or account quality, the bug occur in "Account Quality"
Attacker can request a second review, this is can be done using Commerce manager or account quality, the bug occur in "Account Quality" where attacker can request review on behalf of any page using an IDOR bug that occur in the parameter called "page_id="
This is will allow the attacker to submit request review on behalf of any page ( without having roles on attacked pages)
Step
1