Bug report Broken Authentication and Session Management (leads to account compromise if some conditions are met)

[tatarincev]

Hi, Steps to repro:

1. Create an (virtocommerce) account having an email address "[email protected]".
2. Now Logout and ask for a password reset link. Don't use the password reset link.
3. Log in using the same password back and update your email address to "[email protected]" and verify the same.
4. Now log out and use the password reset link which was mailed to "[email protected]" in step 2.
5. Password will be changed. All previous password reset links should automatically expire once a user changes his email address. Please let me know if this can be fixed