The InvokerServlet
class can allow attackers to invoke any class on the server.
The deprecated InvokerServlet
class can be used to invoke any class available to the server's virtual machine. By guessing the fully qualified name of a class, an attacker can load not only Servlet classes, but also POJO classes or any other class available to the JVM.
[1] Invocation is EVIL