The application does not invalidate session after the password is changed which can enable attacker to continue using the compromised session.
1)Login to the same accounts in two different browsers (https://demo.bigbluebutton.org/gl
)
2)Change password in the 1st browser and you will see that the 2nd browser still validate the session after password change (even after refresh the page). You can do anything with the 2nd browser which use the old password.