diff --git a/typo3/sysext/backend/Classes/Controller/HelpController.php b/typo3/sysext/backend/Classes/Controller/HelpController.php
index 78b57cb998aef819141dea051a1ef15278f42cb7..1c9683ff33c702fed7079bcf24cd8584f553b749 100644
--- a/typo3/sysext/backend/Classes/Controller/HelpController.php
+++ b/typo3/sysext/backend/Classes/Controller/HelpController.php
@@ -38,6 +38,8 @@ use TYPO3Fluid\Fluid\View\ViewInterface;
  */
 class HelpController
 {
+    protected const ALLOWED_ACTIONS = ['index', 'all', 'detail'];
+
     /**
      * Section identifiers
      */
@@ -96,6 +98,10 @@ class HelpController
             }
         }
 
+        if (!in_array($action, self::ALLOWED_ACTIONS, true)) {
+            return new HtmlResponse('Action not allowed', 400);
+        }
+
         $this->initializeView($action);
 
         $result = call_user_func_array([$this, $action . 'Action'], [$request]);
diff --git a/typo3/sysext/backend/Classes/Controller/SiteConfigurationController.php b/typo3/sysext/backend/Classes/Controller/SiteConfigurationController.php
index adcecdfafca201d144875375850ae45715dd4556..04d76fcbea260f85d837766fe8f6f63427f791d3 100644
--- a/typo3/sysext/backend/Classes/Controller/SiteConfigurationController.php
+++ b/typo3/sysext/backend/Classes/Controller/SiteConfigurationController.php
@@ -59,6 +59,8 @@ use TYPO3Fluid\Fluid\View\ViewInterface;
  */
 class SiteConfigurationController
 {
+    protected const ALLOWED_ACTIONS = ['overview', 'edit', 'save', 'delete'];
+
     /**
      * @var ModuleTemplate
      */
@@ -97,7 +99,13 @@ class SiteConfigurationController
         $this->moduleTemplate->getPageRenderer()->loadRequireJsModule('TYPO3/CMS/Backend/ContextMenu');
         $this->moduleTemplate->getPageRenderer()->loadRequireJsModule('TYPO3/CMS/Backend/Modal');
         $action = $request->getQueryParams()['action'] ?? $request->getParsedBody()['action'] ?? 'overview';
+
+        if (!in_array($action, self::ALLOWED_ACTIONS, true)) {
+            return new HtmlResponse('Action not allowed', 400);
+        }
+
         $this->initializeView($action);
+
         $result = call_user_func_array([$this, $action . 'Action'], [$request]);
         if ($result instanceof ResponseInterface) {
             return $result;
diff --git a/typo3/sysext/redirects/Classes/Controller/ManagementController.php b/typo3/sysext/redirects/Classes/Controller/ManagementController.php
index fcfa1e7d243f3f0eded2d8d615354804400ad63c..3d47fc7d90d0e96df3cfa071f3a8f940fe999c36 100644
--- a/typo3/sysext/redirects/Classes/Controller/ManagementController.php
+++ b/typo3/sysext/redirects/Classes/Controller/ManagementController.php
@@ -83,13 +83,8 @@ class ManagementController
     public function handleRequest(ServerRequestInterface $request): ResponseInterface
     {
         $this->request = $request;
-        $action = $request->getQueryParams()['action'] ?? $request->getParsedBody()['action'] ?? 'overview';
-        $this->initializeView($action);
-
-        $result = $this->{$action . 'Action'}($request);
-        if ($result instanceof ResponseInterface) {
-            return $result;
-        }
+        $this->initializeView('overview');
+        $this->overviewAction($request);
         $this->moduleTemplate->setContent($this->view->render());
         return new HtmlResponse($this->moduleTemplate->renderContent());
     }