XSS exists in dotCMS 3.7.0, with an authenticated attack against the /myAccount addressID parameter.
dotcms dotcms 3.7.0