I don't see a blog post for this one but this is what their email said:
Dear MantisBT users,
We would like to inform you of a critical security issue, allowing a remote attacker to reset any user's password, on all MantisBT instances where user signup or password reset are enabled, via a vulnerability in the Account verification page (verify.php).
MantisBT since 1.3.0-rc.2 (included) is affected, as well as all 2.x releases. The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be released soon.
The purpose of this message is to give you advance notice and offer you a chance to patch your systems before disclosure of the vulnerability to the general public.
You will find the fix for the issue attached to this message. If you do not know how to apply a unified diff patch, you may also manually update verify.php:
locate the if statement (at line 72 in 2.0.0-beta.3 and later, line 66 in older versions):
MantisBT Critical Security Issue
Moderators: Developer, Contributor
Re: MantisBT Critical Security Issue
This issue has been fixed more than two years ago. What's the purpose of posting this topic?
https://mantisbt.org/blog/archives/mantisbt/518