Is XSS still a risk if your site does not allows users to log in?

We're about to launch a public facing site, and the security review team has come back with a XSS vulnerability. It's essentially a brochure site - there are no logins, and no user submitted information is publicly displayed.

Is XSS still some开发者_高级运维thing we should be concerned about?

Yes, XSS allows hackers to control the content on your site and normally takes a single function call to fix. It takes less effort to fix this issue, than for you to post this question to SO about it.

Lets say you are Fox News, someone could use XSS to fabricate the news. Further more it could be used to deliver a drive by download attack to your users. In your case someone could create a fake brochure with outrageous claims.

Yes, XSS vulnerabilities need not be focused at user data. They can be used to turn your site into a malware distribution site. Imagine, an attacker puts in an XSS that pops up an alert saying "Your computer may have a virus", and starts a download for some scammer's fake virus scanner. You will be blamed by any users who fall for the scam.