All JSON web services are, by default, accessible without authentication. Due to this vulnerability, anyone can create a new user with administrator rights.
Option 1: Turn off all JSON web services by adding the following to portal-ext.properties
Option 2: Disable anonymous access to JSON web services by adding the following to portal-ext.properties jsonws.web.service.public.methods=
Option 2 will help reduce the risk but will not completely eliminate the risk. Option 1 will eliminate the risk, but will also cause some portal functionality to no longer work.