I think the name "cross site" is confusing. It's easy to hear that and think it involves code on one website attacking code on another website. That's not what it is. Not to mention its unfortunate "true" acronym.
If it can access cookies, then it can access active sessions.
If it can access active sessions, it can log in as you to websites you are logged in to, at least long enough to change passwords or other havoc.
XSS is different from, but similar in spirit to SQL injection. SQL injection is where SQL commands are not cleaned from inputs and thus able to do malicious things to a database. Using HTTPS cannot help with either XSS or SQL injection. HTTPS only protects data in transit over networks.
I'm not a security expert, I'm just helping spread the word: let's scrub those inputs people! Here's a start.
If you have more to add, or think I have it all wrong, let's have it!