Non-HttpOnly session cookie + IDOR chain — cross-account data access

On a cryptocurrency exchange, the session cookie is set without the HttpOnly flag, making it accessible to JavaScript. Combined with a previously found IDOR on the order endpoint, an attacker with XSS can steal the session cookie and then enumerate other users' order data. The chain is: XSS reads document.cookie -> session token extracted -> IDOR on order endpoint using stolen session -> opposing user order metadata leaked. I have each piece individually confirmed but need help putting together the full chain PoC and impact statement for the report.