Joomla 3.8.4 Notes about the Security Patches
From Joomla! Documentation
In Joomla 3.8.4, the Joomla Security Strike Team (JSST) started to implement a series of XSS protection patches for the backend that could affect some use cases. All these issues have been found by internal audits done by the JSST.
Who is affected?
In Joomla 3.8.4, the JSST fixed 2 XSS issues counting in that category:
-  - Core - XSS vulnerability in module chromes
-  - Core - XSS vulnerability in com_fields
This pertains only to Joomla version(s): 3.8.4+
Module Chromes (CVE-2018-6380)
This patch is fixing a longstanding issue with the module Chrome where the module_tag parameter in the system and Protostar template lack escaping which could lead to a XSS attack. This issue is fixed in Joomla 3.8.4 but only for the core templates. Please contact your template provider so they can check the corresponding module Chromes.
This patch fixes a problem where you can enter a XSS code to the Text / Value options in com_fields plugins, like Checkbox, Radio and List. As a side effect of not allowing XSS anymore, the com_fields labels can't be anymore outputted as html.