dotCMS 3 and 4 series ship with Apache Commons BeanUtils version 1.6.2 and is used in the struts based back end of the dotCMS system.   BeanUtils version 1.9.2 and under, including version 1.6.2, do not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts.

dotCMS will provide an updated BeanUtil library for versions < 5.0.0.  dotCMS 5 uses BeanUtil version 1.9.3 which is unaffected.

The issue attack surface can be minimized by using limiting access user access to struts paths in dotCMS, e.g. restricting access to the path /c/* to an ip or to authenticated users.

https://www.cvedetails.com/cve/CVE-2014-0114/