A number of user input fields within the administrative portal of the application were discovered to accept arbitrary user input that could be returned to the page. One example location where a script could be injected is the page title field of a new HTML page. The script below will cause a JavaScript alert box to pop up on the page that includes the contents of the site's cookies:

test</title></head><body><script>alert(document.cookie)</script><!--

Once a user is authenticated in the dotCMS admin console, they are treated as a trusted user. If this is not the case, we would recommend limiting the administrative access to an ip range.  

Additionally, as of 5.x, dotCMS's built in XSSPreventionFilter prevents most XSS type attacks.