We are doing a security evaluation.
There is a chance that a malicious user can inject arbitrary css into another user's web pages, although we are not sure it can actually be exploited.
I understand he could totally change the page look, even causing nothing to be displayed at all. Is that all? What is the worst that could happen? Can javascript be embedded in css? Can he "steal" the other user's cookies? And initiate another session?
Yes to all of the above. Injection of arbitrary CSS can lead to javascript execution. Look at:
The worst thing that could happen is dependent on the environment. In some cases stealing a session cookie and accessing the users session maybe the worst thing to happen (e.g., banks, online stock trading) this may not be the case for your situation. Other examples of attacks would be gaining control of the browser, gaining access to the client's machine, etc.