If you are not subscribed to Adobe’s Security Bulletins, you might not have heard about the recent security update issued by Adobe for all supported versions of AEM (6.0 - 6.4). Quoting their press release:
Adobe has released security updates for Adobe Experience Manager. These updates resolve two reflected cross-site scripting vulnerabilities rated Moderate, and three stored cross-site scripting vulnerabilities rated Important that could result in sensitive information disclosure.
If you are already on AEM Service Pack 2 for 6.4 (AEM 220.127.116.11) or Service Pack 3 for AEM 6.3 (AEM 18.104.22.168), these fixes were rolled into those Service Packs. For any other release of AEM, we urge you to download the security updates, test them in your non-production environments, and promote them to production as soon as you can safely do so.