A remote attacker might be able to access sensitive information, trick users into visiting a malicious website, execute arbitrary JavaScript on the visitor's browser, trick users into performing unwanted actions and bypass access restrictions. A local attacker might be able to execute arbitrary code with the privileges of the webserver.