This one is complicated, but allows an attacker to read any file on the filesystem by clicking a link. You don’t even have to know the name or path of the file, because you can also retrieve directory listings using this attack. Additionally, you can send arbitrary authenticated HTTP requests, and read the responses. This allows an attacker to read cookies, email, interact with online banking and so on.