Read the official Contao announcements.
Security vulnerability CVE-2019-10642
by Leo Feyer
Security researcher Ali Razzaq has discovered that the request token check can be bypassed in Contao 4.7. The security vulnerability has the identifier CVE-2019-10642.
The problem affects only Contao 4.7 and has been fixed in Contao 4.7.3.