please note that, although it is an active check just for the XSS vulnerability, it also confirms the existence of the more severe CSRF vulnerability, as they share the same affected versions.
On a GSM you can always overwrite the severity manually, so the 10.0 can be dropped to the desired 4.3 for example.
From my side I see no error here, nor a need of an update of this VT in regards to remove a CVE and decrease the CVSS score. What we could to is decrease the QoD to remote_analysis as those XSS checks are not really reliable. Since it’s quite an aged vulnerability, implementing an updated PoC is out of question, I fear.
Nevertheless i fully agree with @_ad. If an active VT is checking for a flaw (e.g. CVE-2004-2402) but the very same version (both CVEs are affecting YaBB 1 GOLD SP 1.3.2 and below) is also affecting a different flaw (e.g. CVE-2004-2403) it is absolutely valid and common practice to add both CVEs to this VT even if only one flaw is actively tested.
One thing what could be done is to mention the CSRF vulnerability in the VT in addition to the other two vulnerabilities. This will be done today and should arrive in the feed in the next few days.