Research & Disclosure

Security Research

Giving back to the community is part of our work as an offensive cybersecurity firm.

Our commitment to the community

At Secra we don't only hunt for vulnerabilities inside client engagements, we also spend time looking at widely used products and services. When we find a security issue, we reach out to the affected vendor under responsible / coordinated disclosure and work with them until the fix is available to all users.

Below is the list of public advisories signed off by our team. Each entry links to the official NVD record at NIST so you can review the technical detail and the applied fix.

Published advisories

CVE-2025-40652
Severity: Medium
CVSS 5.3

Stored Cross-Site Scripting (XSS) in CoverManager

Vendor
CoverManager
Status
Patched

Stored Cross-Site Scripting (XSS) vulnerability in the CoverManager booking application. An unauthenticated remote attacker could inject JavaScript that persisted in the product database and ran in the browser of any user opening the affected page.

Impact: Session hijacking, JavaScript execution in the victim's browser context, impersonation of restaurant staff and access to personal reservation data.

Read full advisoryView advisory on NVD
CVE-2023-3512
Severity: High
CVSS 7.5

Relative path traversal in ConacWin CB (Setelsa Security)

Vendor
Setelsa Security
Status
Patched by vendor

Unauthenticated relative path traversal vulnerability in ConacWin CB, Setelsa Security's physical access control management software. A remote attacker could download arbitrary files from the server by sending relative paths through the product's download parameter. Fixed in version 3.8.2.3.

Impact: File disclosure, exposure of configuration containing secrets and potential chaining with other issues to escalate impact on the access control system.

Read full advisoryView advisory on NVD

Coordinated disclosure policy

When the Secra team finds a vulnerability in a third-party product or service, we follow a coordinated process that puts end-user protection first:

  1. 1We reach out to the vendor via official channels (security.txt, bug bounty, PSIRT or commercial contact).
  2. 2We deliver a detailed technical report with PoC, impact, reproduction steps and recommendations.
  3. 3We grant a reasonable window (typically 90 days) for the vendor to develop and roll out the fix.
  4. 4Once patched, we coordinate the advisory publication and, where appropriate, request the CVE identifier from MITRE or an authorised CNA.
  5. 5We do not disclose exploitable details until the vendor's customers have an update available.

If you are a vendor and want to reach out about a potential finding our team has made on your product, write to contacto@secra.es with the subject 'Security advisory'.

Want an audit held to this standard?

The same team that publishes NVD-tracked advisories audits your applications, infrastructure and cloud.

Request assessment