Forgot password link doesn't expire after use
FortiCloud password reset link requested by the user takes one hour to expire even after password was changed successfully, thus allowing attackers to take over user's account if they somehow gain access to the reset link for the user's password.
Improper Access Control
FortiCloud 3.2.1 and below (before August, 2018)
FortiCloud 3.3.0 (online since August, 2018)