High Clarification Sorry, we should have filled in this before making the issue public.
The attached patch can be applied to any version of Confluence from 1.3 - 2.9.1. It works by filtering out URL parameters that are known to be dangerous. To apply the patch, follow the instructions given by Roberto below.
You do not need to patch Confluence 2.9.2 as it already includes this fix.
[CONFSERVER-13092] Provide Patch for XWork ParametersInterceptor attacks
| Workflow | Original: JAC Bug Workflow v3 [ 2893252 ] | New: CONFSERVER Bug Workflow v4 [ 2985247 ] |
| Workflow | Original: JAC Bug Workflow v2 [ 2783281 ] | New: JAC Bug Workflow v3 [ 2893252 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: JAC Bug Workflow [ 2708852 ] | New: JAC Bug Workflow v2 [ 2783281 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2373720 ] | New: JAC Bug Workflow [ 2708852 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 2258894 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2373720 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2209804 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 2258894 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2155652 ] | New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2209804 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 1911157 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2155652 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v3 [ 1718430 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 1911157 ] |
| Workflow | Original: CONF Bug Subtask WF (TEMP) [ 1670097 ] | New: Confluence Workflow - Public Facing - Restricted v3 [ 1718430 ] |