We got some Magento2 project hacked recently. Don't know how they do yet (I suppose it's some SQL injection), but attackers included some external JS call using this code where XXX are some parts of encoded url
new Function(atob(XXX))()
This is an Adobe Commerce 2.4.5-p1 (yes, that's not the latest version, but I guess it's modern enough to feel it should be covered against SQL injections)
The point I can't understand is: Magento2 theoretically controls which external resources should load or not using a CSP whitelist file
If some external resource is not included there then it shouldn't load & browser shows warning / error message "Content-Security-Policy: The page’s settings observed the loading of a resource at XXX"
In this case we could see that message in browser console for the offending script (so we could understand it wasn't being loaded), but even so the malicious code were being applied to webpage
Another tricky point is this happened exclusively in Windows computers, even using modern versions of Google Chrome browser
What am I missing here?
Theoretically, any software can at any time be vulnerable to one or more exploits, unknown to you or the software developers, such is the nature of "0-Day Exploits".
Your version of Adobe Commerce) has four listed vulnerabilities, whether or not these could have been the cause in your case, I think you would need to determine yourself.
You claim that Adobe Commerce 2.5.1-P1 is modern enough to be secured against SQL Injection, while likely it has had much efforts in that area, there is no reason to assume that any version of any software is secured against all exploits, which is why security updates are a constant battle and patching is such a priority to many organisations.
Similarly, potentially the way Chrome handles CSP could have had it's own exploits which allowed the attacker to link in external content. Hopefully someone else can suggest a possible cause for that one.