Vulnerability: Forgotten password challenge guessable.
The forgotten password challenge uses a combination of user email address and timestamp from when they last logged in and then hashes this information using the standard password hash of the application. This challenge is not stored anywhere, since it is possible to verify the hash by repeating the hashing operation after receiving the hash in the URL. The application simply extracts the hash salt, retrieves the email address and last login time, and recomputes the hash. Because of this approach, the hash's random salt does not add to the challenge's entropy in any way. An attacker could simply guess the last time a user logged in along with their email address, select any salt they want, and then generate the appropriate hash.
Some calls to escape HTML could not handle UTF8 characters, this has been corrected.
Map loading issues
GeoJSON used to load maps was failing to render if a deployment had reports without locations, these are now ignored.
Maps on individual reports pages were not loading, the JS error causing this is now fixed.
Openlayers TMS support wasn't included in 2.6, this has been reinstated to ensure the Cloudmade plugin works.
Fix issues with loading custom form fields on deployments using table prefixes
Fixed PHP errors when signing up for mobile alerts
Fixed "more information" links in the reports listing