Product
MantisBT versions 2.28.3 and earlier are vulnerable to a SQL injection within the `history_order` configuration value in `core/history_api.php`, allowing an authenticated administrator to inject malicious SQL via the web UI or REST API, which then executes whenever any user views a bug with history entries, leading to sensitive data extraction and potential Remote Code Execution (RCE) via webshell if the MySQL FILE privilege is enabled.