Ive got a question about Cross Site Scripting Vulnerability.

its a common mistake to create a Cross Site Scripting Vulnerability that allows an attacker to insert some <script> commands into a page, but my question is how can attacker use it for making any damage?

The <script> commands that the attacker would insert into the HTML page will run on the client side (the attacker side), and wont run on the server. therefor, it wont hurt the server, it will only hurt the client.

The worst thing i can think of in this kind of attack is using a Cross Site Scripting Vulnerability to insert <script> commands into forums, or things other users will see, and then all the users will activate the <script> commands. but again, what harm can really be done by running HTML code?