Cross-Site Scripting (XSS) attacks are a type of vulnerability called “injection”.
Some malicious scripts can be injected into trusted web sites. XSS attacks occurs when an attacker is sending malicious code, generally in the form of a browser, to a different browser/visitor.
The flaws allowing these attacks to succeed are badly widespread and occurs anywhere in any input from without validating or sanitizing it.
An attacker will use XSS to get private user information, web sessions. The end user’s browser has barely no way to know that the script should not be trusted, and will execute it.
The malicious script can access any cookies, session tokens, or any sensitive information retained by the browser and used on this site. These scripts can even rewrite the content of the HTML page leading to a phishing attack.