A vulnerability has been found in the Rails form helpers that allows an attacker to inject arbitrary HTML into pages.  This opens up an unpatched Rails app to potential cross site scripting attacks (XSS), which could result in stolen session cookies and other such scenarios.

All versions of Rails above and including version 2.0 are affected. There are two new official releases to fix this, 2.3.4 and 2.2.3.  If you’re still running Rails 2.0 or 2.1 and can’t upgrade, patches have been provided by the security team but need applying manually.  In this case, we’d recommend vendoring the rails gems and then applying the patches.

More details from the security team here.