Recently, JSST(Joomla Security Strike Team) has fixed some security flaws in Joomla!. Also, JSST mentioned that Joomla! 3.6.5 includes more security hardening mechanisms.
[20161203] - Core - Information Disclosure
An information disclosure vulnerability exists in Joomla 3.0.0 through 3.6.4. The vulnerability is reported in April 2016 and fixed in December 2016. The vulnerability leads to Inadequate ACL checks in the Beez3 com_content article layout override, that enables an attacker to view restricted content. The CVE-2016-9837 is assigned for this vulnerability.
The severity of this vulnerability is rated as low.
The solution is to upgrade to Joomla 3.6.5.
[20161202] - Core - Shell Upload
A shell upload vulnerability exists in Joomla 3.0.0 through 3.6.4.The vulnerability is reported in October 2016 and fixed in December 2016. The vulnerability allows Inadequate filesystem checks allows files with alternative PHP file extensions to be uploaded. The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, for this makes a attacker to upload and execute files with the `.php6`, `.php7`, `.phtml`, and `.phpt` extensions. Additionally, JHelperMedia::canUpload() did not blacklist these file extensions as uploadable file types. The CVE-2016-9836 is assigned for this vulnerability.
The severity of this vulnerability is marked as low.
The solution available is to upgrade to Joomla 3.6.5.
[20161201] - Core - Elevated Privileges
An elevated privilege vulnerability exists in Joomla 1.6.0 through 3.6.4. The vulnerability is reported in November 2016 and fixed in December 2016. Incorrect use of unfiltered data stored in the session on a form validation failure enables existing user accounts to be modified; to include resetting their username, password, and user group assignments. The CVE-2016-9838 assigned for this vulnerability.
The severity of this vulnerability is marked as high.
The solution is to upgrade to Joomla 3.6.5.
Reference : https://developer.joomla.org/security-centre.html