XSS alone doesn't do much damage, but it can easily be combined with other techniques to form powerful attack vectors. A few possibilities are:
session hijacking - Often, session cookies can be read from Javascript. Through XSS, a script can be mounted that reads a user's session ID and passes it back to the attacker (a simple yet effective method is to add an img element to the DOM, where the URL of the image carries the session ID); the attacker can then hijack an authenticated session by putting the session ID into their own session cookie.
scraping sensitive information - If a page with an XSS vulnerability contains sensitive information, and send it to the attacker (just like the session cookie).
posting data on someone else's behalf - Through XSS, a form submit can be intercepted and modified, or even triggered, posting data without the user's consent. For example, if you can compromise a web mail client, you could hijack the 'send' button to add yourself to the list of recipients.
malicious redirecting - An XSS script can alter the URLs of any link on the page. This can be abused to, for example, send the user to a spoofed login page; instead of actually logging in, they are sending their credentials to the attacker.
social engineering - By inserting error messages, alerts, etc., you can trick users into all sorts of insecure behavior. For example, an attacker could prompt users to download and open a certain file; if the site that asks them to do so has a high level of trust with the user, chances are they will uncritically execute anything, which allows for mounting trojans and other malware.
Also note that many attack vectors work without the user consciously opening the compromised page: often, the compromised page is put into an invisible iframe somewhere else, such as a forum that the victim is likely to visit, or a page linked from yet somewhere else.