A serious vulnerability in *all* versions of rails (for the last six years) has been spotted.
In brief: complex xml-style params go through an XML-parser that will interpret based on types. "yaml" is a valid type, and that loads the YAML-parser... which instantiates any embedded classes that can include arbitrary code - leading to all kinds of injection-attack possibilities.
A general discussion of the problem, including patched versions and workarounds for old versions is available here: Multiple vulnerabilities in parameter parsing in Action Pack
A more in-depth look at what the problem entails is available here: Analysis of Rails XML Parameter Parsing Vulnerability