|From the Debian advisory:
Mantis installation in which the private_bug_view_threshold
configuration option has been set to an array value do not
properly enforce bug viewing restrictions.
Copy/clone bug report actions fail to leave an audit trail.
access check can be bypassed by users who have write
access to the SOAP API.
Mantis performed access checks incorrectly when moving bugs
A SOAP client sending a null password field can authenticate
as the Mantis administrator.
Mantis does not check the delete_attachments_threshold
permission when a user attempts to delete an attachment from