Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious Javascript in another user's browser.
Unlike other attacks such as SQL injection, XSS does not target the application, rather it targets the end user. However, the attacker does so by explioting a vulnerability in a website that the user visits.