https://lemmy.world/post/1293336
Seems to be a pretty good summary? Feel free to ping me back if you need help understanding it.
Its a pretty straight forward XSS vulnerability. That basically means that the attacker got Javascript code execution upon the population, including the administrators. When you get Javascript execution, you almost always just steal cookies. Once the cookies to an administrator were stolen, then the admin-actions could be executed (such as changing the sidebar, making false posts / misinformation, etc. etc.)