PSIRT Advisory

Forgot password link doesn't expire after use

Summary

FortiCloud password reset link requested by the user takes one hour to expire even after password was changed successfully, thus allowing attackers to take over user's account if they somehow gain access to the reset link for the user's password.

Impact

Improper Access Control

Affected Products

FortiCloud 3.2.1 and below (before August, 2018)

Solutions

FortiCloud 3.3.0 (online since August, 2018)

Acknowledgement

Fortinet is pleased to thank Nikhil Kumar: https://www.linkedin.com/in/nikhil73 from Adayptus Security Team: https://adayptus.com for reporting this vulnerability under responsible disclosure.