"Reflected Cross Site Scripting" occurs when data is copied from a request and returned in an immediate response from the application in an insecure manner.
An attacker could use this vulnerability to construct a request that, if triggered by a user, will execute JavaScript code in the victim's browser in the context of the victim's session in the application. This vulnerability can be exploited to steal application session tokens and passwords, to compromise the victim's workstation, among other actions. This attack can be delivered in several ways, for example, by sending forged emails with a link to the application containing the malicious code or through an apparently harmless web site that forces the malicious request to the application. This vulnerability is commonly exploited in "phishing" type attacks.