The Smileys module provides a text filter that substitutes emoticons with images. The module is vulnerable to cross-site request forgeries (CSRF) via the URL used to delete smileys. A user with βadminister smileysβ permission could be tricked into visiting the smiley delete URL and unwittingly remove smileys from the site.
Note that Smileys version 6.x-1.0-alpha5 and earlier versions for Drupal 6.x are also affected. However, the security team does not provide support for alpha releases.
Drupal core is not affected. If you do not use the contributed Smileys module, there is nothing you need to do.
Install the latest version.
See also the Smileys project page.