[CRITICAL] Confirming an opt-in token does not invalidate previous opt-in tokens

PKSA-pnr9-2f76-g9z8 CVE-2019-10643 GHSA-j99g-qjvx-995g

Affected package: contao/core-bundle

Affected version: >=4.7.0,<4.7.3

Reported by:
FriendsOfPHP/security-advisories, GitHub