The information in this wiki hasn't been maintained for a good while. Some of the projects described have since been deprecated.

In particular, the "Ushahidi Platform v3.x" section contains information that is often misleading. Many details about this version of Platform have changed since.

This website is an extraction of the original Ushahidi wiki into a static form. Because of that, functions like logging in, commenting or searching will not work.

For more documentation, please refer to

Skip to end of metadata
Go to start of metadata
Submitted20 November 2012
Advisory IDSA-WEB-2012-008
RiskHighly Critical
PlatformUshahidi (Web)


Fixes security issue discovered by Timothy D. Morgan.  Forgotten password challenges were guessable based on users last login and email address. Tokens are now generated based on a HMAC of login time and email address using a salt and secret key specifically for these tokens. Reference: CVE-2012-5618.


This vulnerability can be fixed by upgrading to 2.6.1. An upgrade to our this latest version is highly recommended.

Download (ZIP; click to download)md5
Ushahidi v2.6 -> 2.6.16a1ef328dce55dfa2218fe81d1269a18
Ushahidi v2.6 (full application)75eec9678f04ad9245c1b267bca55980


For users who cannot upgrade for whatever reasons, you can patch your install with the patches available below.

  • Download and unzip (patch file).
  • Upload and replace your current files in the folders that correspond to those in the patch.
Download (ZIP)md5
Patch for v2.6 and earlierd4b3055ab60457155ae21231f3e286fc