The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victims browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victims account being taken over.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Such a scenario is commonly observed when: