Mantis 1.1.x through 1.1.2 and 1.2.x through 1.2.0a2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00648.html
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00504.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/45395
http://www.securityfocus.com/bid/31344
http://www.securityfocus.com/archive/1/496684/100/0/threaded
http://www.securityfocus.com/archive/1/496625/100/0/threaded
http://www.gentoo.org/security/en/glsa/glsa-200812-07.xml
http://securityreason.com/securityalert/4298
http://secunia.com/advisories/32975
http://secunia.com/advisories/32330