Difference Between XSS - Session Cookie Without Secure Flag HTTPonly ?

Hello everyone.

I have an online site created in ASP.NET and put online for only a week, I decided to scan it first with web scanner "VEGA" and a second time with "Acunetix Web SCANNER."

After analysis, "ACCUNETIX" signals as a result "Hight" the site is vulnerable to XSS scanner unlike the "VEGA" which says the site is vulnérale the Session Cookie Without Secure Flag HTTPonly.

So do you think that an XSS vulnerability and Session Cookie Without Secure Flag HTTPonly vulnerability are the same or there there is a difference between these 2 vulnerabilities (XSS and Session Cookie Without Secure Flag HTTPonly) since 2 Web Scanner found 2 different results ???

Do you think a hacker can hack a vulnerable web site Session Cookie Without Secure Flag HTTPonly exploiting XSS vulnerabilities ???

What is the Difference Between XSS and Session Cookie Without Secure Flag HTTPonly ?

Thank you for informing me.