A remote attacker is able to execute arbitrary javascript on the clients machine or perform a denial of service attack against the server by tricking an administrator to visit a certain site.
+
Furthermore a malicious administrator is able to delete unintended files from the server.