We are doing a security evaluation.
There is a chance that a malicious user can inject arbitrary css into another user's web pages, although we are not sure it can actually be exploited.
I understand he could totally change the page look, even causing nothing to be displayed at all. Is that all? What is the worst that could happen? Can javascript be embedded in css? Can he "steal" the other user's cookies? And initiate another session?