CVE-2025-67102 is a SQL injection vulnerability classified under CWE-89, affecting the alldayoffs feature in Jorani versions up to 1.0.4. The flaw arises from improper sanitization of the 'entity' parameter, which is used in SQL queries without adequate validation or parameterization. An authenticated attacker can exploit this vulnerability by injecting malicious SQL commands through the entity parameter, enabling unauthorized data access or manipulation. The vulnerability requires the attacker to have valid credentials (low privilege requirement) but does not require any user interaction, making automated exploitation feasible once credentials are obtained. The CVSS v3.1 score of 7.6 reflects high confidentiality impact, moderate integrity and availability impacts, and low attack complexity. Although no public exploits or patches are currently available, the vulnerability poses a significant risk to organizations relying on Jorani for leave and absence management, as attackers could extract sensitive employee data, alter records, or disrupt service availability. The lack of patches necessitates immediate mitigation through configuration changes or access restrictions until official fixes are released.

The vulnerability can lead to unauthorized disclosure of sensitive employee and organizational data, including personal information and leave records, compromising confidentiality. Attackers may also modify or delete data, impacting data integrity and potentially causing operational disruptions. Availability could be affected if attackers execute commands that degrade or crash the database service. Given Jorani's role in HR management, exploitation could disrupt critical business processes related to workforce management. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with weak credential policies or insider threats. The absence of known exploits currently reduces immediate risk but does not preclude future attacks, especially as exploit code may be developed once the vulnerability becomes widely known. Organizations globally using Jorani are at risk of data breaches, compliance violations, and operational impact.

Until an official patch is released, organizations should implement strict access controls to limit who can authenticate to the Jorani system, enforcing strong password policies and multi-factor authentication. Review and restrict user privileges to the minimum necessary to reduce the risk of exploitation by low-privilege users. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the entity parameter. Conduct thorough input validation and sanitization on all user-supplied data, particularly the entity parameter, if custom modifications are possible. Monitor logs for unusual database queries or failed login attempts that could indicate exploitation attempts. Consider isolating the Jorani application and its database in a segmented network zone to limit lateral movement in case of compromise. Prepare for patch deployment by tracking vendor updates and testing patches in a controlled environment before production rollout.