Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant.Referenceshttps://tf1t.gitbook.io/mycve/cylos/cyclos-4.14.7-dom-based-cross-site-scripting-in-undefined-enum-cve-2021-31674https://www.exploit-db.com/exploits/50908http://packetstormsecurity.com/files/167040/Cyclos-4.14.7-Cross-Site-Scripting.html