XSS exists in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter.
dotcms dotcms 3.7.0