The application does not delete the old login session on the server side after changing the password. This poses a risk when a user uses a public computer and an attacker captures the login session. Even if the user has changed the password, the login session is still taken over by the attacker.
1 - Log in to 2 different computers
2 - At a computer, perform a password change.
3 - Result: On the other logged in computer, it can still be used normally.
Image POC: https://drive.google.com/drive/folders/1A0uciV3z0in1qpEkhCT49P_9QAWN3IUx?usp=sharing
Disable sessions in both client and server after user changes password