CVE-2021-27888

ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters.