Defenition from Google, on XSS.
Cross site scripting (XSS) is a type of computer security exploit where
information from one context, where it is not trusted, can be inserted into
another context, where it is. From the trusted context, an attack can be
launched. Note that although cross site scripting is also sometimes
abbreviated "CSS", it has nothing to do with the Cascading Style Sheets
technology that is more commonly called CSS.
Example:
A XSS attack is something that an attacker performs, not an admin. You can
use XSS to retrieve session information, cookies, md5 hashs, password hashes
all from within a web browser, no need to be an admin.
Hope this helps.