...
This noncompliant code example is exactly the same as the first noncompliant code example but uses the POSIX function syslog() [Open Group 2004 [IEEE Std 1003.1:2013] instead of the fprintf() function, which is also susceptible to format-string vulnerabilities:
...
| CERT C++ Secure Coding Standard | FIO30-CPP. Exclude user input from format strings |
| CERT Oracle Secure Coding Standard for Java | IDS06-J. Exclude unsanitized user input from format strings |
| CERT Perl Secure Coding Standard | IDS30-PL. Exclude user input from format strings |
| ISO/IEC TR 24772:2013 | Injection [RST] |
| ISO/IEC TS 17961 | Including tainted or out-of-domain input in a format string [usrfmt] |
| MITRE CWE | CWE-134, Uncontrolled format string |
Bibliography
| [Open Group 2004IEEE Std 1003.1:2013] | XSH, System Interfaces, syslog() |
| [Seacord 2013] | Chapter 6, "Formatted Output" |
| [Viega 2005] | Section 5.2.23, "Format String Problem" |
...