In MantisBT 2.24.3, SQL Injection can occur in the parameter «access» of the mc_project_get_users function through the API SOAP.
