V3 - Session Management
Old Session do not invalidate after password change
POC
- Login as UserA
- Intercept one of the authenticated requests and send to Burp repeater
- Change the password with password reset or any other functionality
- Send the intercepted request in Burp Repeater again and observe the session is not validated
Impact
Low
Likelihood
Low