diff --git a/typo3/sysext/backend/Classes/Http/RequestHandler.php b/typo3/sysext/backend/Classes/Http/RequestHandler.php
index 3c4c2f6396a21fba4e48fea3953ddb0323372112..b5acbb33e90d1848c3455b09b8d9d3dd355de916 100644
--- a/typo3/sysext/backend/Classes/Http/RequestHandler.php
+++ b/typo3/sysext/backend/Classes/Http/RequestHandler.php
@@ -19,6 +19,7 @@ use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\RequestHandlerInterface as PsrRequestHandlerInterface;
 use TYPO3\CMS\Backend\Routing\Exception\InvalidRequestTokenException;
+use TYPO3\CMS\Backend\Routing\Router;
 use TYPO3\CMS\Core\Core\Bootstrap;
 use TYPO3\CMS\Core\Http\RedirectResponse;
 use TYPO3\CMS\Core\Http\RequestHandlerInterface;
@@ -77,17 +78,27 @@ class RequestHandler implements RequestHandlerInterface, PsrRequestHandlerInterf
         $moduleName = $request->getQueryParams()['M'] ?? $request->getParsedBody()['M'] ?? null;
         // Allow the login page to be displayed if routing is not used and on index.php
         $pathToRoute = $request->getQueryParams()['route'] ?? $request->getParsedBody()['route'] ?? $moduleName ?? '/login';
-        $request = $request->withAttribute('routePath', $pathToRoute);
 
         // skip the BE user check on the login page
         // should be handled differently in the future by checking the Bootstrap directly
         $this->boot($pathToRoute === '/login');
 
         if ($moduleName !== null) {
+            // backwards compatibility for old module names
+            // @deprecated since TYPO3 CMS 9, will be removed in TYPO3 CMS 10.
+            $router = GeneralUtility::makeInstance(Router::class);
+            foreach ($router->getRoutes() as $routeIdentifier => $route) {
+                if ($routeIdentifier === $moduleName) {
+                    $pathToRoute = $route->getPath();
+                    break;
+                }
+            }
+
             trigger_error('Calling the TYPO3 Backend with "M" GET parameter will be removed in TYPO3 v10,'
                 . ' the calling code calls this script with "&M=' . $moduleName . '" and needs to be adapted'
                 . ' to use the TYPO3 API.', E_USER_DEPRECATED);
         }
+        $request = $request->withAttribute('routePath', $pathToRoute);
 
         // Check if the router has the available route and dispatch.
         try {
diff --git a/typo3/sysext/backend/Classes/Http/RouteDispatcher.php b/typo3/sysext/backend/Classes/Http/RouteDispatcher.php
index 3ea23016fdce5ec54aabf518edbc8b7b1e4ab3fd..da3e36e19581e0f0edba8de9bd0a4293f21da909 100644
--- a/typo3/sysext/backend/Classes/Http/RouteDispatcher.php
+++ b/typo3/sysext/backend/Classes/Http/RouteDispatcher.php
@@ -88,7 +88,13 @@ class RouteDispatcher extends Dispatcher implements DispatcherInterface
             return true;
         }
         $token = (string)($request->getParsedBody()['token'] ?? $request->getQueryParams()['token']);
-        return $this->getFormProtection()->validateToken($token, 'route', $route->getOption('_identifier'));
+        if ($token) {
+            return $this->getFormProtection()->validateToken($token, 'route', $route->getOption('_identifier'));
+        }
+        // backwards compatibility: check for M and module token params
+        // @deprecated since TYPO3 CMS 9, will be removed in TYPO3 CMS 10.
+        $token = (string)($request->getParsedBody()['moduleToken'] ?? $request->getQueryParams()['moduleToken']);
+        return $this->getFormProtection()->validateToken($token, 'moduleCall', $request->getParsedBody()['M'] ?? $request->getQueryParams()['M']);
     }
 
     /**
diff --git a/typo3/sysext/extbase/Classes/Mvc/Web/Routing/UriBuilder.php b/typo3/sysext/extbase/Classes/Mvc/Web/Routing/UriBuilder.php
index aeaa39285250cf2c0924c78cb745a755f573c1e6..9d8dbd1dcbae84ac05af67c626c7aaf28dfb9a58 100644
--- a/typo3/sysext/extbase/Classes/Mvc/Web/Routing/UriBuilder.php
+++ b/typo3/sysext/extbase/Classes/Mvc/Web/Routing/UriBuilder.php
@@ -14,6 +14,7 @@ namespace TYPO3\CMS\Extbase\Mvc\Web\Routing;
  * The TYPO3 project - inspiring people to share!
  */
 
+use TYPO3\CMS\Backend\Routing\Exception\ResourceNotFoundException;
 use TYPO3\CMS\Core\Utility\ArrayUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Extbase\Mvc\Request;
@@ -664,7 +665,9 @@ class UriBuilder
             }
         } else {
             $id = GeneralUtility::_GP('id');
-            $module = GeneralUtility::_GP('route');
+            // backwards compatibility: check for M parameter
+            // @deprecated since TYPO3 CMS 9, will be removed in TYPO3 CMS 10.
+            $module = GeneralUtility::_GP('route') ?: GeneralUtility::_GP('M');
             if ($id !== null) {
                 $arguments['id'] = $id;
             }
@@ -678,13 +681,13 @@ class UriBuilder
         $moduleName = $arguments['route'] ?? null;
         unset($arguments['route'], $arguments['token']);
         $backendUriBuilder = GeneralUtility::makeInstance(\TYPO3\CMS\Backend\Routing\UriBuilder::class);
-        if (!empty($moduleName)) {
+        try {
             if ($this->request instanceof WebRequest && $this->createAbsoluteUri) {
                 $uri = (string)$backendUriBuilder->buildUriFromRoutePath($moduleName, $arguments, \TYPO3\CMS\Backend\Routing\UriBuilder::ABSOLUTE_URL);
             } else {
                 $uri = (string)$backendUriBuilder->buildUriFromRoutePath($moduleName, $arguments, \TYPO3\CMS\Backend\Routing\UriBuilder::ABSOLUTE_PATH);
             }
-        } else {
+        } catch (ResourceNotFoundException $e) {
             if ($this->request instanceof WebRequest && $this->createAbsoluteUri) {
                 $uri = (string)$backendUriBuilder->buildUriFromModule($moduleName, $arguments, \TYPO3\CMS\Backend\Routing\UriBuilder::ABSOLUTE_URL);
             } else {