When you generate the new temporary password don't forget that the old password should still work, too, as long as the user hasn't set the new password yet. The forgot password form could be used by anyone so someone might enter someone else's email address and send the form (either by mistake or intentionally). If the old password stopped working at that moment then the user the account belongs to will be blocked.
Another approach would be to simply send a one-time link with a unique code that will enable the user to set a new password - so no need to generate a random password. The link would lead the user to a form where they can set the password. However, it's a good idea to make the link expire soon, for example after 24 hours.