Mantisbt (>= 2.23.0, <= 2.28.1)

MantisBT is vulnerable to a missing authorization check in its file visibility function, allowing authenticated users with REPORTER or higher access to download attachments on private bugnotes they should not be able to access through the REST API and SOAP API, affecting versions 2.23.0 to 2.28.1.