Titles are not escaped prior to being displayed on content edit forms, allowing users to inject arbitrary HTML and script code into these pages.
The Drupal.checkPlain function, used to escape text in ECMAScript, contains a bug which causes it to escape only the first instance of a character, allowing users to inject arbitrary HTML and script code in certain pages.
Wikipedia has more information about cross site scripting (XSS).
Install the latest version:
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.