This application uses a serialisation-based session mechanism and is vulnerable to arbitrary object injection as a result.