Mantis before 0.17.4 allows remote attackers to list project bugs without authentication by modifying the cookie that is used by the "View Bugs" page.
https://exchange.xforce.ibmcloud.com/vulnerabilities/9899
http://www.securityfocus.com/bid/5514
http://www.debian.org/security/2002/dsa-153