A word on XSS

Usually I agree that XSS vulnerabilities are not a real security concern and more some kind of reputation issue of the project when I see what gets published on Bugtraq and other mailing lists. Especially when looking at the products for which "vulnerabilities" are reported. One of my favorite examples for a waste of time with reporting and investigating an XSS flaw in the last time is:
http://seclists.org/fulldisclosure/2007/Oct/0377.html (also read the replies, really funny).

However pdp(architect) (the pdf pwnz windows) guy wrote a very interesting mail about XSS and real security concerns regarding an XSS issue. He came up with a very interesting real exploit scenario for a imaginary XSS flaw I also didn't think about before:

I used to rate XSS as low sometimes as medium risk two years ago.
Today, if they are unauthenticated, I rate them as HIGH. Why? Open
your eyes. XSS is not only about getting the victim running some code.
There are a number of things you can do. Do you know that if CNN has
XSS on their site and I manage to inject some google adds and kind of
spread around the vector on a couple of bookmarking sites, I can make
tones of money. Think about it.

a) CNN is a very important site.
b) Add Clicks will cost more.
c) Social bookmarking is a way of life (look at DIGG)
d) Social bookmarking sites can be spammed (research OnlyWire)

So it is not always just about inserting some java script or html code and display information that should not be there Sure most of the XSS issues reported are still very low impact issues just because of the environment the specific software is used in.