PSIRT

Forgot password link doesn't expire after use

Summary

FortiCloud password reset link requested by the user takes one hour to expire even after password was changed successfully, thus allowing attackers to take over user's account if they somehow gain access to the reset link for the user's password.

Affected Products

FortiCloud 3.2.1 and below (before August, 2018)

Solutions

FortiCloud 3.3.0 (online since August, 2018)

Acknowledgement

Fortinet is pleased to thank Nikhil Kumar (https://www.linkedin.com/in/nikhil73/) from Adayptus Security Team (https://adayptus.com/) for reporting this vulnerability under responsible disclosure.

IR Number	FG-IR-18-074
Published Date	Aug 24, 2018
Severity	Low
CVSSv3 Score	4.2
Impact	Improper access control
CVRF	Download

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

PSIRT

Forgot password link doesn't expire after use

Summary

Affected Products

Solutions

Acknowledgement

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

PSIRT

Forgot password link doesn't expire after use

Summary

Affected Products

Solutions

Acknowledgement

Threat Intelligence
Center