Read the official Contao announcements.
Security vulnerability CVE-2019-10641
by Leo Feyer
Security researcher Ali Razzaq has discovered that existing sessions are not correctly invalidated when a user changes their password in the back end or front end. The security vulnerability has the identifier CVE-2019-10641.
The problem affects all Contao versions and has been fixed in Contao 3.5.39, Contao 4.4.37 and Contao 4.7.3.