XSS exists in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter.
dotcms dotcms 3.7.0