In Joomla! prior to 3.9.19, incorrect input validation of the module tag option in com_modules allows XSS.
joomla joomla\\!