ABSTRACT

The InvokerServlet class can allow attackers to invoke any class on the server.

EXPLANATION

The deprecated InvokerServlet class can be used to invoke any class available to the server's virtual machine. By guessing the fully qualified name of a class, an attacker can load not only Servlet classes, but also POJO classes or any other class available to the JVM.

REFERENCES

[1] Invocation is EVIL