You are alerting the raw decrypted object - the default encoding for such is hex. It needs to be converted to a string using the appropriate human-readable encoding:
<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/aes.js"></script>
<script>
var toEncMes = "This is a secret message.";
var secPas = "myPassword";
var encrypted = CryptoJS.AES.encrypt(toEncMes, secPas);
alert (encrypted);
var decrypted = CryptoJS.AES.decrypt(encrypted, secPas);
alert (decrypted.toString(CryptoJS.enc.Utf8)); // <---- note specified encoding
</script>
Of course, the usual cryptographic warning signs still apply: this doesn't ensure your message has not been tampered with, etc.