In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modules allows XSS.
https://developer.joomla.org/security-centre/813-20200601-core-xss-in-modules-heading-tag-option