SA-CONTRIB-2012-164 - Smiley module and Smileys module - Cross Site Scripting (XSS)

These modules enable you to substitutes text emoticons, like :-, with images. These modules don't sufficiently sanitize user defined smiley acronyms before displaying smiley images. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

SA-CONTRIB-2010-035: Smileys - Cross Site Request Forgery

The Smileys module provides a text filter that substitutes emoticons with images. The module is vulnerable to cross-site request forgeries CSRF via the URL used to delete smileys. A user with "administer smileys" permission could be tricked into visiting the smiley delete URL and unwittingly remo...