Cross-site Scripting attack is a type of injection which is possible whenever a web application accepts an input from users without validating or encoding the input. For example if I enter <script>alert(0)</script> in the search field of a website and the website is not encoding the special characters like < or >, then this script will be injected in raw format in the HTML and browser will execute it and diplay an alert box.

In the same way attacker can run any JavaScript command. For example accessing to the cookies could be very dangerous because they can perform session hijacking and gain access to your account if you're using any cookie-based authentication.