HTML Injection

Occurs when you can inject HTML, but not Javascript for whatever reason.

Steal Cookies

I haven’t tested this, but HTML5 allows for <img> tags with CORS cross-origin use-credentials. This would allow you to steal cookies if you have a website that accepts CORS-with-credentials requests and logs the cookies.

Steal Credentials

You can try to phish for credentials.