This seems like it's just plain XSS - it doesn't take advantage of a user's serverside session to forge an action on their behalf.