The Drupal security team reports:
A few arguments passed via URLs are not properly sanitized
before display. When an attacker is able to entice an
administrator to follow a specially crafted link, arbitrary
HTML and script code can be injected and executed in the
victim's session. Such an attack may lead to administrator
access if certain conditions are met.
The way page caching was implemented allows a denial of
service attack. An attacker has to have the ability to post
content on the site. He or she would then be able to poison
the page cache, so that it returns cached 404 page not found
errors for existing pages.
If the page cache is not enabled, your site is not vulnerable.
The vulnerability only affects sites running on top of MySQL.