You will often find that Cross-Site Scripting is referred to, in its simplest form, as XSS, and it can be described as a form of HTML injection attack. 

A website will be prone to an XSS attack if there are no measures in place to allow users' browsers to have scripts that could be executed. In this scenario, most of the time, the attacker assumes the identity of the user on the website and uses such a script to hijack an authentic user's session.

Once the session is in the hands of the attacker, then your application is at their mercy for the duration of the session. They can do just about anything, including making your web pages look any way they want and they can even launch attacks on other websites through your web pages. This can happen while an authentic user is still able to do other things, but an XSS attack can allow a hacker to assume full control of the browser.

If a website allows a user to upload links, then it is also susceptible to an XSS attack in which they would be able to harvest data uploaded through a form, and also be able to extract the website's security information.

XSS attacks can also come in the form of a hacker attempting to hijack cookies. These cookies can have identities for login and/or session identities. Once the cookies are hijacked, most information about the user is potentially available to the hacker. Through the same cookie hijacking, a hacker may ride on the user while performing normal functions to submit malicious content, such as scripts, without them being aware of such activity.