CVE-2014-7146 was assigned to the following issue:

""
When importing data with the plugin, user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed.
""

CVE-2014-8598 was assigned to the following issues:

""
The XML Import/Export "official" plugin (i.e. bundled with MantisBT releases) currently does not perform any access level checks in the import and export pages. This leads to the following vulnerabilities:


1) import

Any user of a MantisBT instance with the XML plugin enabled and knowing the URL to the plugin's import page could upload an XML file and insert data without restriction, regardless of their access level.


This vulnerability is particularly dangerous when used in combination with the one described in issue #17725 [1] (CVE-2014-7146) as it makes for a very simple and easily accessible vector for PHP code injection attacks.


2) export

There was also no access check when exporting data, which could allow an attacker to gain access to confidential information (disclosure of all bug-related data, including usernames). 
""

These issues affect versions 1.2.0a3 up to and including 1.2.17. They will be fixed in a future 1.2.18 release.

Upstream fixes:
https://github.com/mantisbt/mantisbt/commit/bed19db9
https://github.com/mantisbt/mantisbt/commit/80a15487

References:
http://seclists.org/oss-sec/2014/q4/576
http://seclists.org/oss-sec/2014/q4/577