PSIRT Advisories

Forgot password link doesn't expire after use


FortiCloud password reset link requested by the user takes one hour to expire even after password was changed successfully, thus allowing attackers to take over user's account if they somehow gain access to the reset link for the user's password.

Affected Products

FortiCloud 3.2.1 and below (before August, 2018)


FortiCloud 3.3.0 (online since August, 2018)


Fortinet is pleased to thank Nikhil Kumar: from Adayptus Security Team: for reporting this vulnerability under responsible disclosure.