Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant.
https://www.exploit-db.com/exploits/50908
http://packetstormsecurity.com/files/167040/Cyclos-4.14.7-Cross-Site-Scripting.html