We have a customer on version 22.214.171.124. They have all the latest patches. Today, someone tried to order from the site and put a script in their name. The order went thru with the link to a remote script. How is this possible? Seems like a major security risk to Magento. See attached screenshot of what it looks like in the admin. This hack is the same as the one posted here: https://community.magento.com/t5/Security-Patches/Hacking-Attempts/td-p/84696 I'd be surprised if others are not also getting attacked in this manner.
Don't worry they are secure. If they were vulnerable, they should not have even seen those tags and realized that they were hacked by just looking it there. That script tag is just converted to text by Magento, so script is actually not firing to call that malicious file
To be sure take a look into the database how those values were stored. You should find the htmlentites.