viewallbugpage.php in MantisBT 2.10.0-development before 2018-02-02 allows remote attackers to discover the full path via an invalid filter parameter, related to a filterensurevalidfilter call in currentuserapi.php.