Comment 5 for bug 1011823

CVE-2012-2692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2692):
  MantisBT before 1.2.11 does not check the delete_attachments_threshold
  permission when form_security_validation is set to OFF, which allows remote
  authenticated users with certain privileges to bypass intended access
  restrictions and delete arbitrary attachments.

CVE-2012-2691 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2691):
  The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11
  does not properly check privileges, which allows remote attackers with bug
  reporting privileges to edit arbitrary bugnotes via a SOAP request.