A few months back I reported this vulnerability Demoted business admin could apply blocklist to all ad accounts and FB rewarded me 500$ for this Vulnerability. After a little bit of more testing, I noticed I can still apply blocklist with low privileges to all Ad accounts in Business Manager.
This could allow a demoted business admin to apply blocklist to all ad accounts
You need 2 Admin (Admin A, Admin B) accounts in a business manager.
1. From Admin B account upload new Blocklists and apply it to all ad accounts.
2. From Admin A account change permission of “Admin B” to the employee.
3. Now, from Admin B account (Which is not an employee) visit blocklist page and you will notice you can upload block list but you can’t apply it on all ad accounts.
4. For uploading new blocklists to all ad accounts, simply replace previous blocklists which were uploaded by you and applied to all ad accounts.
5. New block lists will be updated/applied to all ad accounts.