http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6515 "Mantis before 1.1.0a2 sets the default value of $g_bug_reminder_threshold to "reporter" instead of a more privileged role, which has unknown impact and attack vectors, possibly related to frequency of reminders." The CVE entry says 1.0.6 is vulnerable, however it looks to me as if it's not, see the change in revision 1.283.2.1.2.1.2.1.2.2.2.11 at http://mantisbt.cvs.sourceforge.net/mantisbt/mantisbt/config_defaults_inc.php?view=log FC-3 and FC-4 appear to be vulnerable.
AFAICT, 1.0.6 is definetely not affected: http://www.mantisbugtracker.com/bugs/view.php?id=7543 I should ask on extras-list what I am supposed to do with legacy stuff, I believe security is important but I can't afford to guarantee updates for 5 branches. However, the situation could improve if: http://www.mantisbugtracker.com/bugs/view.php?id=7663 will be done in time for 1.1.0
FC3/4 are not receiving updates anymore. FC5 and newer are not affected. Closing