This bug was founded in a private program. So, this post would not disclose any information about the target. In order to not giving out anything about the target, all endpoints, parameters, token names mentioned in this post are made up. This post would name the target as redacted.com.
The bug allows attacker to take advantage of CORS misconfig to steal a token from victim. So, attacker can use that token to utilize unauthorized service of the target on behalf of victim.