Research & Disclosure

Security Research

Giving back to the community is part of our work as an offensive cybersecurity firm. We research vulnerabilities in real-world products, report them under coordinated disclosure and work with vendors until the fix ships to every user.

Our commitment to the community

At Secra we don't only hunt for vulnerabilities inside client engagements — we also spend time looking at widely used products and services. When we find a security issue, we reach out to the affected vendor under responsible / coordinated disclosure and work with them until the fix is available to all users.

Below is the list of public advisories signed off by our team. Each entry links to the official NVD record at NIST so you can review the technical detail and the applied fix.

Published advisories

CVE-2025-40652
Severity: Medium
CVSS 5.3

Cross-Site Scripting (XSS) in CoverManager

Vendor
CoverManager
Status
Patched

Cross-Site Scripting (XSS) vulnerability in the CoverManager web application allowing a remote attacker to inject arbitrary JavaScript via an unsanitised HTTP parameter. Exploitation enabled compromise of authenticated sessions on the reservations platform.

Impact: Session hijacking, JavaScript execution in the victim's browser context, impersonation and access to reservation data.

View advisory on NVD
CVE-2023-3512
Severity: High
CVSS 7.5

Relative path traversal in ConacWin CB (Setelsa Security)

Vendor
Setelsa Security
Status
Patched by vendor

Relative path traversal vulnerability in Setelsa Security ConacWin CB. A remote attacker could access files outside the intended directory using ../ sequences in the path, exposing sensitive information from the access-control system.

Impact: File disclosure, exposure of configuration data and potential chaining with other issues to escalate impact.

View advisory on NVD

Coordinated disclosure policy

When the Secra team finds a vulnerability in a third-party product or service, we follow a coordinated process that puts end-user protection first:

  1. 1We reach out to the vendor via official channels (security.txt, bug bounty, PSIRT or commercial contact).
  2. 2We deliver a detailed technical report with PoC, impact, reproduction steps and recommendations.
  3. 3We grant a reasonable window (typically 90 days) for the vendor to develop and roll out the fix.
  4. 4Once patched, we coordinate the advisory publication and, where appropriate, request the CVE identifier from MITRE or an authorised CNA.
  5. 5We do not disclose exploitable details until the vendor's customers have an update available.

If you are a vendor and want to reach out about a potential finding our team has made on your product, write to contacto@secra.es with the subject 'Security advisory'.

Want an audit held to this standard?

The same team that publishes NVD-tracked advisories audits your applications, infrastructure and cloud. If you want to understand the real risks in your organisation, let's start with a free initial assessment.

Request assessment

👋Hi! Have any questions? Write to us, we reply in minutes.

Open WhatsApp →