A vulnerability exists in ZKAccess Security System version 5.3.1 (build 5.3.12252). This vulnerability allows an authenticated attacker to inject arbitrary HTML or script code through the holiday_name and memo POST parameters. Such an injection could be used to steal session cookies, deface the management interface, or perform other malicious actions within the context of the logged‑in administrator session.