CSRF is just the beginning so that the full effects of the XSS attack can take place.
Who's to say the javascript he posted doesn't exist somewhere in the account where other members are now going to pull it up, thereby running it on their own accounts, creating a bigger mess.
Who's to say the javascript he posted doesn't exist somewhere in the account where other members are now going to pull it up, thereby running it on their own accounts, creating a bigger mess.