Risk: not critical
openlayers_ui does not sanitize title and descriptions for maps on admin/structure/openlayers/maps. Adding a new map on admin/structure/openlayers/maps/add with Map Description "
<script>alert('XSS');</script>" demonstrates an XSS exploit.
Of course an attacker needs the "administer openlayers" permission to place a malicious script snippet there, so this is rather boring. The permission is not marked as restricted in hook_permission(), so this is a small security issue.
This has been discussed with the Drupal security team: this vulnerability can be fixed publicly as per http://drupal.org/security-advisory-policy because it affects a branch (or branches) of a project that does not have a "stable release".