These vulnerabilities source the payload from a component of the address bar, usually the fragment, and use javascript sinks to trigger DOM based XSS.
Location.hash

Sources from the location.hash and sinks into various javascript functions.

Location

Sources from the raw location and sinks into various javascript functions.

Others

Various other sources and sinks: the first value represents the DOM source, the second the JS sink.