Posted by Dolev Farhi on May 03

# Exploit title: Observium Commercial – CSRF & Authenticated Code Execution
# Date: 28-04-2016
# Vendor homepage: http://observium.org/
# Software version: CE 0.16.7533
Authenticated remote code execution
Using either CSRF or by editing the whois binary field in the Observium webui under Settings-> System Path, an attacker
may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url:…