[CRITICAL] Confirming an opt-in token does not invalidate previous opt-in tokens

PKSA-ypgr-2z5b-9d8t CVE-2019-10643 GHSA-j99g-qjvx-995g

Affected package: contao/contao

Affected version: >=4.7.0,<4.7.3

Reported by:
FriendsOfPHP/security-advisories, GitHub