Let's say a website has two vulnerabilities:
- Information Disclosure
- reflected XSS
Their impact by themselves is limited on the specific site, but when chained together, the impact is raised too high (e.g. transfer money to another account)
What would be the most appropriate way to present those vulnerabilities?
For brainstorming, I would say there are at least three options:
- Just have the two vulnerabilities without considering the chained impact
- Combine the two vulnerabilities in one with high impact.
- Have three vulnerabilities, the original two plus the affected critical functionality when the two are chained
The first option doesn't look appropriate, the third option, listing one extra vulnerability might be redundant. The second option doesn't look too bad, but in the case that two vulnerabilities are important by themselves, it could be more appropriate for both of them to have their own spot.