GHSA-GGW7-9675-6V4V MantisBT has an authorization bypass in private issue monitoring
Using a crafted POST request to bugmonitoradd.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private...