More at https://owasp.org/www-community/attacks/xss/just out of curiousity: I understand XSS are like code injections into the HTML through user controlled input or attacker controlled input, e.g. the password field or the message you send someone. what you describe my amateurish brain however references as XS(-Leak?) vulnerability - is this a mix-up on your end or a misunderstanding of how words are used on my end?
The overview in the link above describes it. Basically the script can do many things including altering the content of a page
More at
https://owasp.org/www-community/Types_of_Cross-Site_Scripting
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature