A generic overview of the issue, I usually use the default text from OWASP as it explains the issue well. Include a more specific description of the issue identified within the application.
- The affected urls or area of the application where the issue exists.
- Risk: Something
- Difficulty to Exploit: Somethingelse
- CVSS3 Score blah
- Authentication?
- What kind of attacker?
- Do they need authentication?
- Who else does it affect?
A clear outline of the steps required to execute the payload as an attacker, this can include how to setup the payload and launch it.
- Request
- Response
- Show, Introduce, Discuss
- Screenshots
- Explain who this issue affects?
- Is it everyone or just a select amount of users?
- How can this occur?
- How do you fix the issue?
- What is the recommended remediation actions required to successfully fix issue x?
Include additional reading for the client to further backup the issues explained or elaborate more on other potential issues chained to the one identified.
- [1] Reference 1
- [2] Reference 2