It was reported [1] that there is no security check in bug_report.php to prevent unauthorized users from setting the handler_id parameter, allowing them to assign issues regardless of their access level. [1]: https://www.mantisbt.org/bugs/view.php?id=17878