I have fixed this here and plan to package a new release of mojoPortal tommorrow.
I think the worst case scenario of this vulnerability is the possibility of crafting a link that could steal a user's session cookie and the attacker could then have the same priveleges as the user who was attacked. The attacker would have to manage to get the user to click the link somehow from an email or other web site, and the user would have to already be logged into the mojoportal site for this to work.
Nevertheless, with any security vulnerability I think its best to get a fix out right away.
Thanks again for reporting it.