The application is vulnerable to broken-authentication after change password which doesn’t invalidate all active sessions for the same user which allows the same account to be navigated with two different sessions and two different passwords. This can increase possibility of user’s account hijacking
Reproduce scenario: 1- Login using Username and Password 2- Change The User Account Password 3- Leave Current Session Open and Open new Browser session then Login using the New Password 4- You will have two Opened Sessions with different Passwords
Expected Scenario: 1- Login using Username and Password 2- Change The User Account Password 3- System Should End the session and Ask the user to login again with the new password 4- All opened sessions are using the New Password