Prior version 1.13.0. there are some XSS vulnerabilities in jQuery Ui. XSS is possible via the altField option of the Datepicker widget, various *Text options of the Datepicker and the of option of the position() util
The issue is fixed in the current releases Znuny LTS 6.0.40 and Znuny 6.3.1 . All download links can be found in the release notes 6.0.40 / release notes 6.3.
Please update as soon as possible.