A company's web application includes user input in web pages without proper validation or encoding. Attackers inject code that runs in the browsers of other users, potentially stealing session tokens and personal data. Which vulnerability is being exploited by attackers?
Cross-site scripting (XSS)
Remote file inclusion
Cross-site request forgery (CSRF)
SQL injection