From The Register:
The XSS, or cross-site scripting, bugs allow attackers to steal the web cookies Symantec sets on visitors’ hard drives. Such cookies are frequently used to prove a visitor has already entered a valid password, so the ability to lift the file could be a non-trivial lapse of Symantec’s security.
For a collection of screen shots from the XSS bugs check out the Nemesis site. According to the site, Symantec has in fact been contacted about this problem and they’re working on it.
At the time of this posting the bugs were still live.