A database input validation was fixed in rubygem-devise.

Using a specially crafted request, an attacker could trick the
database type conversion code to return incorrect records. For some
token values this could allow an attacker to bypass the proper checks
and gain control of other accounts.

http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/