Forgot password link doesn't expire after use Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-18-074 Final 1 1 2018-08-24T00:00:00 Current version 2018-08-24T00:00:00 2018-08-24T00:00:00 FortiCloud password reset link requested by the user takes one hour to expire even after password was changed successfully, thus allowing attackers to take over user's account if they somehow gain access to the reset link for the user's password. Improper access control FortiCloud 3.2.1 and below (before August, 2018) FortiCloud 3.3.0 (online since August, 2018) Fortinet is pleased to thank Nikhil Kumar (https://www.linkedin.com/in/nikhil73/) from Adayptus Security Team (https://adayptus.com/) for reporting this vulnerability under responsible disclosure. 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L/E:U/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-18-074 Forgot password link doesn't expire after use Reference>