As part of our post-release review process for the 3.6.4 release, the Joomla! Security Strike Team has identified and confirmed an additional side effect of the issue resolved in security advisory 20161002 (CVE-2016-8869) and as such we have revised our assessment of this issue.

As stated in the advisory, the incorrect use of unfiltered data in Joomla! 3.4.4 through 3.6.3 allowed a malicious user to register on a website with elevated privileges. Through this same attack vector, we have additionally confirmed that it was possible under some circumstances to overwrite an existing user’s account data with a spoofed request.

Although the issue relies on an earlier exploit which has already been resolved in the 3.6.4 release, security advisory 20161003 was published for this issue.

Updating to Joomla! 3.6.4 ensures this vulnerability has been patched and there is nothing further that you need to do.