It was possible for an attacker to determine any Page Admin Role without any interaction
Two endpoints performing an Invite and a Removal to add and remove Contributers for Collections were missing rate limiting.
Every Invite would send a notification to that Friend.
There was a GraphQl request which could be malformed to get the Demographic Audience data insight for any Facebook Page.
Demographic Audience data insight - Country (specific in this bug)likes insight.