Stored XSS in system-log (authentication attempts), makes it possible for attacker to exfiltrate an adminstrators session-cookie. The cookie is not HTTP-Only
Arbitrary file upload in firmware section. Clientside filetype-check makes it possible for an attacker to change filetype to .php and upload a webshell.