CVE-2015-10030: 
PHP vulnerability analysis and mitigation

A critical vulnerability (CVE-2015-10030) was discovered in SUKOHI Surpass affecting the file src/Sukohi/Surpass/Surpass.php. The vulnerability was disclosed on January 8, 2023, and involves a pathname traversal issue where manipulation of the 'dir' argument could lead to unauthorized directory access. The vulnerability affects all versions of SUKOHI Surpass prior to version 1.0.0 (NVD).

The vulnerability is classified as a path traversal vulnerability (CWE-22) that allows manipulation of the 'dir' argument in the src/Sukohi/Surpass/Surpass.php file. The CVSS v3.1 base score is 5.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N according to NVD assessment. The vulnerability could allow attackers to access directories outside of the intended directory structure (NVD).

If exploited, this vulnerability could lead to unauthorized access to directories outside of the intended directory structure, potentially exposing sensitive information. The impact is primarily focused on confidentiality, with the ability to read files that should not be accessible through the application (NVD).

The vulnerability has been fixed in version 1.0.0 of SUKOHI Surpass. The patch (d22337d453a2a14194cdb02bf12cdf9d9f827aa7) prevents directory traversal attacks by removing potentially dangerous characters ('/', '.', and null bytes) from the dir parameter. Users should upgrade to version 1.0.0 or later to address this security issue (GitHub Patch).