The vulnerability is caused by Controller General of the object as a parameter
solution:
Add the following code Controller class:
@InitBinder()
public void initBinder(WebDataBinder binder) {
binder.setDisallowedFields(new String[]{});
}
reference: