Overview

On March 25, 2021 a vulnerability in the "Forgot my password" link in Alma was identified.  The “Forgot my password” link allows users managed in the Ex Libris Identity Service to provide their email/user ID and receive a secure link to change their password.  Due to a logic error, the secure token was not checked server-side, and a malicious actor could change another user’s password by changing the user ID in the web form.

Effective Security Severity Level

High

Ex Libris implemented a security solution on March 25, 2021 that mitigated the identified vulnerability.  The secure token is now validated on the server-side to ensure that only the owner of the email address can change the password.

Affected Systems

Ex Libris Alma product

Tests and Certifications

The fix for this vulnerability has been developed, tested, and certified for Ex Libris products.

Actions Taken for Cloud Systems

Ex Libris has already deployed the fix to all cloud environments and no action is required by the customer. 

Exploitation and Public Announcements 

The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Record of Changes

Revision Control

Document Distribution and Review

The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated regularly or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver