Attackers can control the href attribute of a <base> tag in HTML. This means that resources (e.g. images, scripts) can be loaded from a attacker controlled domain and can be executed on the context of the page. This vulnerability's impact is almost the same as that of a cross-site scripting vulnerability.

Validate user input not to control the base tag. Content-Security-Policy (CSP) base-uri directive can also help you prevent to change the <base> tag element. The base-uri directive defines the URIs that a user agent may use as the document base URL.

Content-Security-Policy: base-uri 'self'