One can add say a system property with a value <script>something<script>. It will show as a text on the System Property page. But in the Security audit log viewer this script will run. More than this, Security audit log viewer will not show previous entries if the one with the script is in the current showing range. Which could be a problem in the production environment, as you can't fix it by deleting the faulty system property. Audit entry will stay there unless one deletes it in the database.
Patch under review (courtesy Peter Johnson).
Modified and applied patch; performed light testing via admin console. Presumed fixed.