Joomla has just released the latest version of its CMS, which includes patches for two critical security vulnerabilities and a bug fix. The account creation bug could allow any user to register on a website, even if the registration process has been disabled. The elevated privileges flaw could enable users to perform advanced functions on a registered site that ordinary users are not authorized to do. Both the critical vulnerabilities affect version 3.4.4 through 3.6.3. The update also includes a bug-fix for Two-Factor Authentication.
Source: https://thehackernews.com/2016/10/joomla-security-update.html