As you probably know, cross-site scripting is a method to where something from one source can be inserted into another. A common use is in phishing, such as making a phishing site magically appear to be the real financial site.
For example, clicking here will take you to the Sun site, with a wonderfully self-serving message. (And if you want to get really irritated, click here to go to the Cisco site, but don’t tell me I didn’t warn you).
Brian Krebs has more details, here.
UPDATE: The XSS links above have been fixed by at least Cisco. I think the Sun one should still work.