Version 1.2.18 of MantisBT fixes unspecified information disclosure issue [1]. Upstream bug (private) is at [2]. [1]: http://seclists.org/oss-sec/2014/q4/955 [2]: http://www.mantisbt.org/bugs/view.php?id=17243
Upstream commit that fixes this issue: https://github.com/mantisbt/mantisbt/commit/f779e3d4394a0638d822849863c4098421d911c5
Fedora and EPEL all have 1.2.19; closing.