Don’t call system. It’s a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling execve from the exec family. Likelihood: MEDIUM Confidence: HIGH CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection