Cookies are not really a vulnerability. Everyone who makes logins and such should know that cookies can be used by someone else to gain access to whatever the login gives access to.

The cookie should come into the hands of the person if:

a) The cookie file is given by the victim to the person, or the person has access to their computer w/ the cookie file

b) The victim clicks a link that takes them to a XSS-injection vulnerable page, which will redirect them to the person's own page which will log their cookie from the previous site.

EDIT: The person who posted before me must have deleted their post or something, this post was a response.