| From the Debian advisory:
CVE-2012-1118:
Mantis installation in which the private_bug_view_threshold
configuration option has been set to an array value do not
properly enforce bug viewing restrictions.
CVE-2012-1119:
Copy/clone bug report actions fail to leave an audit trail.
CVE-2012-1120:
The delete_bug_threshold/bugnote_allow_user_edit_delete
access check can be bypassed by users who have write
access to the SOAP API.
CVE-2012-1122:
Mantis performed access checks incorrectly when moving bugs
between projects.
CVE-2012-1123:
A SOAP client sending a null password field can authenticate
as the Mantis administrator.
CVE-2012-2692:
Mantis does not check the delete_attachments_threshold
permission when a user attempts to delete an attachment from
an issue. | 