Clarification Sorry, we should have filled in this before making the issue public.
The attached patch can be applied to any version of Confluence from 1.3 - 2.9.1. It works by filtering out URL parameters that are known to be dangerous. To apply the patch, follow the instructions given by Roberto below.
You do not need to patch Confluence 2.9.2 as it already includes this fix.