A SQL injection vulnerability has been identified in dotCMS 3.3 which, if successfully exploited, could allow an attacker to access sensitive information in the dotcms database.   

The vulnerability requires an authenticated dotCMS user to be exploited.  For more information see:

http://seclists.org/fulldisclosure/2016/Apr/5

Prevent external access to the /dwr endpoint uri via firewall rules.