XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter.