SQL injection vulnerability in the activate_address function in framework/modules/addressbook/controllers/addressController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the is_what parameter.
Exponent CMS versions 2.3.9 and below suffer from multiple remote SQL injection vulnerabilities. Updates have been released to address these identified issues.