XSS or cross side scripting
Is referred to as cross site request forgery. Here the session of a user is hacked so as to impersonate the user session. An example is Glass door that was known to have a CRSF bug in the severe range of 9 to 10. Such a form of vulnerability if exploited would give access to the hackers along with editing permissions to the employee accounts and job seeker permissions. Luck favoured as this bug was discovered by a bug bounty researcher and the company went on to fix it before it evolved into some major form of damage.
Issues at the end of the client
When the developers are known to introduce API on the other side of the client it is going to make the application vulnerable to attacks. In such cases poor website development is to be blamed. A client side browser script has to access all the content which is returned by the web app directly to the web that is going to include cookies with sensitive data like the user session ID. It leads to a situation where the hackers try to hijack the user sessions and probe for the usage of sensitive data.