Joomla has just published a Revised Assessment of 3.6.4 Security Release just a couple of days after the urgent Joomla 3.6.4 Critical Security Release that addresses 2 critical security vulnerabilities.
Basically the Joomla Security Strike Team has confirmed the original implications where malicious hackers could exploit the vulnerabilities to create their own administrator account but the team also confirmed that "under certain circumstances" the attackers could alter existing user accounts ( -- yes, even admin accounts).
The CB Team has also taken a closer look at Community Builder 2.0 installations on Joomla 3 environments and discovered that such sites are actually protected against these nasty Joomla vulnerabilities. By default, all CB 2.0+ installations automatically enable the CB system plugin that redirects Joomla registration and login requests to the equivalent CB requests that are not affected by these Joomla vulnerabilities.
So, simply put: all CB 2.0 / Joomla 3.x sites are protected from these Joomla vulnerabilities.
Please note that our recommendation is still to upgrade all Joomla sites to Joomla 3.6.4 as soon as possible, and additionally rename the Joomla htaccess.txt file (and configure it to your base folder if needed) for added protection.