Hi, found another information disclosure vulnerability/Full Path Disclosure on your application.
GET : https://www.localize.im/projects/[projiect ID/languages/[Language ID]
Just Add "" after any of those updatePhrases[ID] parameter.
Note: look like my last FPD Vulnerability report. doesn't it? but last one was at updatePhrases[previous][ID] that is fixed as you rolled out a fix for that.. i just went to check that the bug is fixed or not and found there is another parameter that is still vulnerable.
> Warning: trim() expects parameter 1 to be string, array given in /srv/data/web/vhosts/www.localize.im/htdocs/index.php on line 192
I Also Added a Screenshot of that FPD as attachment.. Thanks