Edit a client ("OAuth Server > Clients) and put the following payload in the "Client ID" field: "><script>alert(/XSS/)</script>

The XSS will be triggered in the Clients list, as well as when editing the client

v4.2.1 added sanitisation, but no escaping, so a payload like " style=animation-name:rotation onanimationstart=alert(/XSS/)// would work as well (but only be triggered when editing the client)