That's debatable. Also, it depends if it's persistent, reflected, or DOM-based XSS. Persistent XSS would be more likely to be considered an attack against the server/application, though I could see the counterargument as well. Reflected could go either way, and DOM-based would be the least likely to be considered a server attack.