Hard time with a triager: I found a CSRF issue which leads to stored-XSS in a auth page (+WAF bypass) and XSS is triggered when victim (normally using website) clicks on a button. The XSS leads also to account takeover since document.cookie isn’t protected.

Is it medium or high?