High-Tech Bridge SA Security Research Lab has discovered vulnerability in ocPortal which could be exploited to perform CSRF attacks.
1) Cross-site request forgery (CSRF) ocPortal
The vulnerability exists due to insufficient validation of the request origin in /site/index.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and add arbitrary account to arbitrary group. Successful exploitation might result in complete compromise of the application.
<form action="http://host/site/index.php?page=groups&type=add_to&id=2" method="post" >
<input type="hidden" name="username" value="hacker" >