CVE-2020-36926
Published: 16 January 2026
Summary
CVE-2020-36926 is a high-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Smartertools Smartertrack. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ongoing reviews detect and remove sensitive system information before it reaches publicly accessible systems.
Employs detection to prevent unauthorized mining of sensitive system information from being exfiltrated to external control spheres.
Documenting where system information is processed and stored prevents exposure to unauthorized control spheres.
The control stops sensitive system information from crossing into unauthorized control spheres through EM emanations.
Authorization and minimization requirements keep PII out of test/research control spheres that often lack production-grade protections.
Documented categorization of system information reduces the chance that sensitive internals are left exposed to unauthorized spheres.
System information is concealed or replaced with decoys, reducing leakage to unauthorized observers.
Ensures sensitive system information is not disclosed outside the intended control sphere through error output.
NVD Description
SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents' first and last names along with their unique identifiers.
Deeper analysisAI
CVE-2020-36926 is an information disclosure vulnerability in SmarterTrack version 7922. The issue affects the Chat Management search form, accessible via the /Management/Chat/frmChatSearch.aspx endpoint, which exposes agent identification details including first names, last names, and unique identifiers. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is linked to CWE-497.
Remote, unauthenticated attackers can exploit the vulnerability by directly accessing the affected endpoint over the network with low complexity and no user interaction required. Successful exploitation enables retrieval of sensitive agent personal information, which could facilitate targeted social engineering, phishing, or reconnaissance for subsequent attacks.
References include a proof-of-concept exploit on Exploit-DB (ID 50328), vendor resources from SmarterTools, and an advisory from Vulncheck detailing the SmarterTrack information disclosure. Security practitioners should review these sources for any recommended mitigations, such as endpoint access restrictions or software updates.
Details
- CWE(s)