According to the documentation, by default the web interface has a default admin password:
“Programming links to settings page ( username [admin] and password [pass] are required.)”
Without authenticating, the splash page will also reveal the internal IP address of the device.
Finally, the /set/comment.html page contains a stored XSS (CVE-2013-78009). You get to this page by clicking “Add HACCP Note” and then insert a standard XSS string in the “Comment” field (newhaccpcomment parameter). It doesn’t seem to scrub any user input.
POST /set/comment.html HTTP/1.1
Reported to ICS-CERT: 2013-04-10
ICS-CERT passed to CERT/CC: 2013-04-19
CERT/CC assigns VU#647752: 2013-04-25
CERT/CC says issues too low risk to coordinate disclosure: 2013-05-06