The lucene search admin tool (Admin only) allows a user to construct and execute a query to run against dotCMS content. The admin tool does not sanitize the query and echo's it back to the user which allows for XSS javascript execution.

dotCMS 5.2 and above ships with an XSS prevention filter that validates incoming requests to admin urls.  If the incoming request does not include a valid Refer or Origin Header, then the request will be blocked by the filter.  In essence, this blocks an attacker's ability to remotely trigger an XSS or referer vulnerability from a domain outside of the administrative panel.

Versions of dotCMS < 5.2 can install the CSRF osgi plugin that does the same work as the XSS prevention filter.

https://packetstormsecurity.com/files/136636/DotCMS-3.5-Beta-Cross-Site-Scripting.html