Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications where attackers cause a web server to send a page that contains malicious HTML or other client side scripts to a victim’s browser.
XSS occurs primarily because web applications do not validate user input. Attackers take advantage of this fact and push malicious code to the web application which then serves this un-validated input back to users. This attacker injected malicious code then executes in the context of the web application in the victim’s browser.
The consequences of XSS include bypass of access controls, phishing, browser exploits, denial of service etc. XSS has replaced buffer overflows to become the most exploited vulnerability since 2005 and has affected popular sites including Google, Facebook, Orkut & MySpace.
Read Wikipedia’s entry on cross-site scripting here.